Uploading new detections

detections/cloud/azure_ad_azurehound_useragent_detected.yml

@@ -0,0 +1,64 @@
+name: Azure AD AzureHound UserAgent Detected
+id: d62852db-a1f1-40db-a7fc-c3d56fa8bda3
+version: 1
+date: '2025-01-06'
+author: Dean Luxton
+data_sources:
+- Azure Active Directory NonInteractiveUserSignInLogs
+- Azure Active Directory MicrosoftGraphActivityLogs
+type: TTP
+status: production
+description: This detection looks for the default AzureHound useragent string within Graph Activity logs and NonInteractive SignIn Logs. 
+search: >-
+  `azure_monitor_aad` category IN (MicrosoftGraphActivityLogs, NonInteractiveUserSignInLogs) properties.userAgent=azurehound*
+  | eval createdDateTime=strptime('properties.createdDateTime',"%Y-%m-%dT%H:%M:%S.%7Q%z")
+  | stats min(createdDateTime) as _time values(user_agent) as user_agent values(user) as user count values(src_category) as src_category by src tenantId
+  | iplocation src
+  | `azure_ad_azurehound_useragent_detected_filter`
+how_to_implement: The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest NonInteractiveUserSignInLogs and MicrosoftGraphActivityLogs via an Azure EventHub. See reference for links for further details. 
+known_false_positives: None
+references:
+- https://github.com/SpecterOps/AzureHound
+- https://splunkbase.splunk.com/app/3110
+- https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install
+tags:
+  analytic_story:
+  - Azure Active Directory Privilege Escalation
+  - Compromised User Account
+  asset_type: Azure Tenant
+  confidence: 100
+  impact: 80
+  message: AzureHound UserAgent String $user_agent$ Detected on Tenant $tenantId$
+  mitre_attack_id:
+  - T1087.004
+  - T1526
+  observable:
+  - name: src
+    type: IP Address
+    role:
+    - Attacker
+  - name: user
+    type: User
+    role:
+    - Attacker
+  - name: user_agent
+    type: User Agent
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - src
+  - category
+  - properties.userAgent
+  - tenantId
+  risk_score: 80
+  security_domain: identity
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://github.com/splunk/contentctl/wiki
+    sourcetype: UPDATE SOURCETYPE
+    source: UPDATE SOURCE

detections/cloud/azure_ad_service_principal_enumeration.yml

@@ -0,0 +1,68 @@
+name: Azure AD Service Principal Enumeration
+id: 3f0647ce-add5-4436-8039-cbd1abe74563
+version: 1
+date: '2025-01-06'
+author: Dean Luxton
+data_source:
+- Azure Active Directory MicrosoftGraphActivityLogs
+type: TTP
+status: production
+description: >-
+  This detection leverages azure graph activity logs to identify when graph APIs have been used to identify 10 or more service principals. 
+  This type of behaviour is associated with tools such as Azure enumberation tools such as AzureHound or ROADtools.
+search: >-
+  `azure_monitor_aad` category IN (MicrosoftGraphActivityLogs) TERM(servicePrincipals)
+  | rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/beta\/servicePrincipals\/(?P<servicePrincipalb>.*?)\/"
+  | rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/v1.0\/servicePrincipals\/(?P<servicePrincipalv1>.*?)\/"
+  | eval spn=coalesce(servicePrincipalb,servicePrincipalv1) | stats min(_time) as _time dc(spn) as spn_count values(user) as user values(user_category) as user_category values(src_category) as src_category count by src tenantId properties.userAgent
+  | rename properties.userAgent as user_agent
+  | where spn_count>9 | `azure_ad_service_principal_enumeration_filter`
+how_to_implement: Run this detection over historical data to identify then tune out any known services which may be performing this action. Thresholds can be lowered or raised to meet requirements. 
+The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest MicrosoftGraphActivityLogs via Azure EventHub. See reference for links for further details on how to onboard this log source. 
+known_false_positives: Unknown
+references:
+- https://github.com/SpecterOps/AzureHound
+- https://github.com/dirkjanm/ROADtools
+- https://splunkbase.splunk.com/app/3110
+- https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install
+tags:
+  analytic_story:
+  - Azure Active Directory Privilege Escalation
+  - Compromised User Account
+  asset_type: Azure Tenant
+  confidence: 100
+  impact: 80
+  message: $spn_count$ Service Principals have been enumerated by $user$ from IP $src$
+  mitre_attack_id:
+  - T1087.004
+  - T1526
+  observable:
+  - name: src
+    type: IP Address
+    role:
+    - Attacker
+  - name: user
+    type: User
+    role:
+    - Attacker
+  - name: user_agent
+    type: User Agent
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - category
+  - properties.requestUri
+  - src
+  - user
+  risk_score: 80
+  security_domain: identity
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://github.com/splunk/contentctl/wiki
+    sourcetype: UPDATE SOURCETYPE
+    source: UPDATE SOURCE

detections/cloud/azure_ad_service_principal_privilege_escalation.yml

@@ -0,0 +1,58 @@
+name: Azure AD Service Principal Privilege Escalation
+id: 29eb39d3-2bc8-49cc-99b3-35593191a588
+version: 1
+date: '2025-01-06'
+author: Dean Luxton
+data_sources: []
+type: TTP
+status: production
+description: UPDATE_DESCRIPTION
+search: "`azure_monitor_aad` category=AuditLogs operationName=\"Add app role assignment\
+  \ to service principal\" properties.initiatedBy.app.displayName=* properties.result=Success\
+  \ \n| spath path=properties{}.targetResources{}.modifiedProperties{} output=targetResources\n\
+  | stats min(_time) as _time values(eval(mvfilter(match(targetResources, \"AppRole.Value\"\
+  )))) as appRole, values(eval(mvfilter(match(targetResources, \"ServicePrincipal.DisplayName\"\
+  )))) as targetServicePrincipal values(eval(mvindex('properties.targetResources{}.displayName',0)))\
+  \ as targetAppContext values(user_agent) as user_agent values(identity) as servicePrincipal\
+  \ values(properties.initiatedBy.app.servicePrincipalId) as servicePrincipalId by\
+  \ operationName tenantId correlationId\n| spath input=appRole path=newValue output=appRole\n\
+  | spath input=targetServicePrincipal path=newValue output=targetServicePrincipal\n\
+  | eval appRole=trim(replace(appRole, \"\\\"\", \"\")), targetServicePrincipal=trim(replace(targetServicePrincipal,\
+  \ \"\\\"\", \"\"))\n| where servicePrincipal=targetServicePrincipal\n| table _time\
+  \ operationName servicePrincipal servicePrincipalId targetServicePrincipal appRole\
+  \ targetAppContext user_agent tenantId correlationId\n | `azure_ad_service_principal_privilege_escalation_filter`"
+how_to_implement: UPDATE_HOW_TO_IMPLEMENT
+known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES
+references:
+- REFERENCE
+tags:
+  analytic_story:
+  - UPDATE_STORY_NAME
+  asset_type: UPDATE asset_type
+  confidence: UPDATE value between 1-100
+  impact: UPDATE value between 1-100
+  message: UPDATE message
+  mitre_attack_id:
+  - T1098.001
+  - T1098
+  observable:
+  - name: UPDATE
+    type: UPDATE
+    role:
+    - UPDATE
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - UPDATE
+  risk_score: UPDATE (impact * confidence)/100
+  security_domain: identity
+  cve:
+  - UPDATE WITH CVE(S) IF APPLICABLE
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://github.com/splunk/contentctl/wiki
+    sourcetype: UPDATE SOURCETYPE
+    source: UPDATE SOURCE

detections/cloud/azure_intune_new_device_health_script_created.yml

@@ -0,0 +1,49 @@
+name: Azure Intune New Device Health Script Created
+id: 6fe42e07-15b1-4caa-b547-7885666cb1bd
+version: 1
+date: '2025-01-06'
+author: Dean Luxton
+data_sources: []
+type: Hunting
+status: production
+description: Intune Remediation Scripts can be used to move laterally to intune managed devices. This detection identifies when a new device health script has been created. 
+search: >-
+  `azure_monitor_activity` operationName="createDeviceHealthScript DeviceHealthScript" 
+  | rename identity as user, properties.TargetObjectIds{} as TargetObjectId
+  | table _time correlationId resultType user TargetObjectId
+  | `azure_intune_new_device_health_script_created_filter`
+how_to_implement: The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub. To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic setting & send events to the activity audit event hub. 
+known_false_positives: False positives are expected from this detection. 
+references:
+- https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
+tags:
+  analytic_story:
+  - Azure Active Directory Account Takeover
+  asset_type: Azure Tenant
+  confidence: 20
+  impact: 100
+  message: Intune device health script $TargetObjectId$ was created by user $user$
+  mitre_attack_id:
+  - T1072
+  - T1021.007
+  observable:
+  - name: user
+    type: User
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - operationName
+  - identity
+  - properties.TargetObjectIds{}
+  risk_score: 20
+  security_domain: audit
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://github.com/splunk/contentctl/wiki
+    sourcetype: UPDATE SOURCETYPE
+    source: UPDATE SOURCE

detections/cloud/o365_service_principal_privilege_escalation.yml

@@ -0,0 +1,61 @@
+name: O365 Service Principal Privilege Escalation
+id: b686d0bd-cca7-44ca-ae07-87f6465131d9
+version: 1
+date: '2025-01-06'
+author: Dean Luxton
+data_sources: []
+type: TTP
+status: production
+description: This detection identifies when an Azure Service Principal elevates privileges by adding themself to a new app role assignment.
+search: >- 
+  `o365_management_activity` Operation="Add app role assignment to service principal." "Actor{}.ID"=ServicePrincipal ResultStatus=Success
+  | spath path=ModifiedProperties{} output=targetResources
+  | stats min(_time) as _time values(eval(mvfilter(match(targetResources, "AppRole.Value")))) as appRole, values(eval(mvfilter(match(targetResources, "ServicePrincipal.DisplayName")))) as targetServicePrincipal values(object) as targetAppContext values(user_agent) as user_agent values(user) as servicePrincipal values(UserId) as servicePrincipalId  by Operation InterSystemsId tenant_id
+  | spath input=appRole path=NewValue output=appRole
+  | spath input=targetServicePrincipal path=NewValue output=targetServicePrincipal
+  | where servicePrincipal=targetServicePrincipal
+  | table _time Operation servicePrincipal servicePrincipalId appRole targetAppContext user_agent tenant_id InterSystemsId
+how_to_implement: The Splunk Add-on for Microsoft Office 365 add-on is required to ingest EntraID audit logs via the 365 API. See references for links for further details on how to onboard this log source. 
+known_false_positives: Unknown
+references:
+- https://splunkbase.splunk.com/app/4055
+tags:
+  analytic_story:
+  - Azure Active Directory Privilege Escalation
+  asset_type: Azure Tenant
+  confidence: 100
+  impact: 100
+  message: Service Principal $servicePrincipal$ has elevated privileges by adding themself to app role $appRole$
+  mitre_attack_id:
+  - T1098.001
+  - T1098
+  observable:
+  - name: servicePrincipal
+    type: User
+    role:
+    - Attacker
+  - name: user_agent
+    type: User Agent
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - user_agent
+  - Actor{}.ID
+  - ResultStatus
+  - Operation
+  - ModifiedProperties{} 
+  - user
+  - InterSystemsId
+  - tenant_id
+  risk_score: 100
+  security_domain: identity
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://github.com/splunk/contentctl/wiki
+    sourcetype: UPDATE SOURCETYPE
+    source: UPDATE SOURCE

macros/azure_monitor_activity.yml

@@ -0,0 +1,4 @@
+definition: sourcetype=azure:monitor:activity
+description: customer specific splunk configurations(eg- index, source, sourcetype).
+  Replace the macro definition with configurations for your Splunk Environment.
+name: azure_monitor_activity