From 367e3fe4b5cccb04e4060c453d875be5e32e5ca5 Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Wed, 1 Nov 2023 10:58:16 +1000 Subject: [PATCH] updating detections --- detections/application/user_added_to_privileged_group.yml | 4 +++- .../endpoint/windows_ad_domain_replication_acl_addition.yml | 4 ++-- detections/network/internal_horizontal_port_scan.yml | 2 ++ detections/network/internal_vulnerability_scan.yml | 4 ++-- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/detections/application/user_added_to_privileged_group.yml b/detections/application/user_added_to_privileged_group.yml index 824f7f3173..b7ec9ec882 100644 --- a/detections/application/user_added_to_privileged_group.yml +++ b/detections/application/user_added_to_privileged_group.yml @@ -21,7 +21,8 @@ references: - https://splunkbase.splunk.com/app/6853 tags: analytic_story: - - UPDATE_STORY_NAME + - Active Directory Privilege Escalation + - Sneaky Active Directory Persistence Tricks asset_type: Endpoint confidence: 100 impact: 50 @@ -46,6 +47,7 @@ tags: - Group_Name - dest security_domain: identity + manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested. tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml index 8c85f0763e..c41c71b3a6 100644 --- a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml +++ b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml @@ -18,7 +18,7 @@ search: '`wineventlog_security` EventCode=5136 | rex field=AttributeValue max_match=10000 "OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;(?PS-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3})\)" | rex field=AttributeValue max_match=10000 "OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;(?PS-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3})\)" | rex field=AttributeValue max_match=10000 "OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?PS-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3})\)" - | table _time dest src_user DSRGetChanges_user_sid DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid\ + | table _time dest src_user DSRGetChanges_user_sid DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid | mvexpand DSRGetChanges_user_sid | eval minDCSyncPermissions=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid,"true","false"), fullSet=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid AND DSRGetChanges_user_sid=DSRGetChangesFiltered_user_sid,"true","false") | where minDCSyncPermissions="true" @@ -72,7 +72,7 @@ tags: - ObjectClass risk_score: 80 security_domain: endpoint - manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested. + manual_test: False tests: - name: True Positive Test attack_data: diff --git a/detections/network/internal_horizontal_port_scan.yml b/detections/network/internal_horizontal_port_scan.yml index 06d963e04b..1b147b8e4d 100644 --- a/detections/network/internal_horizontal_port_scan.yml +++ b/detections/network/internal_horizontal_port_scan.yml @@ -52,4 +52,6 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log + source: aws:cloudwatchlogs:vpcflow sourcetype: aws:cloudwatchlogs:vpcflow + update_timestamp: true diff --git a/detections/network/internal_vulnerability_scan.yml b/detections/network/internal_vulnerability_scan.yml index deaecbf908..7b5e0bef75 100644 --- a/detections/network/internal_vulnerability_scan.yml +++ b/detections/network/internal_vulnerability_scan.yml @@ -3,7 +3,7 @@ id: 46f946ed-1c78-4e96-9906-c7a4be15e39b version: 1 date: '2023-10-27' author: Dean Luxton -status: Experimental +status: experimental type: TTP data_source: [] description: This analytic detects internal hosts triggering multiple IDS signatures (either more than 25 signatures against a single host, or a single signature across over 25 destinations), which can be indicative of active vulnerability scanning performed within the network. @@ -35,7 +35,7 @@ tags: - T1595.002 - T1046 observable: - - name: src_ip + - name: src type: Hostname role: - Victim