diff --git a/contentctl.yml b/contentctl.yml index 43c4ee9306..9fdb8e316f 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -182,6 +182,12 @@ apps: version: 1.4.1 description: description of app hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/microsoft-defender-advanced-hunting-add-on-for-splunk_141.tgz +- uid: 6207 + title: Splunk Add-on for Microsoft Security + appid: Splunk_TA_MS_Security + version: 2.3.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_230.tgz - uid: 2734 title: URL Toolbox appid: URL_TOOLBOX diff --git a/data_sources/ms365_defender_incident_alerts.yml b/data_sources/ms365_defender_incident_alerts.yml new file mode 100644 index 0000000000..09eeec400b --- /dev/null +++ b/data_sources/ms365_defender_incident_alerts.yml @@ -0,0 +1,234 @@ +name: MS365 Defender Incident Alerts +id: 12345678-90ab-cdef-1234-567890abcdef +version: 1 +date: '2024-07-18' +author: Bhavin Patel, Splunk +description: Data source object for MS365 Defender Incident Alerts +source: ms365_defender_incident_alerts +sourcetype: ms365:defender:incident:alerts +supported_TA: +- name: Splunk Add-on for Microsoft Security + url: https://splunkbase.splunk.com/app/6207 + version: 2.3.0 +fields: +- actorName +- alertId +- app +- assignedTo +- body +- category +- classification +- creationTime +- date_hour +- date_mday +- date_minute +- date_month +- date_second +- date_wday +- date_year +- date_zone +- description +- dest +- detectionSource +- detectorId +- determination +- devices{}.aadDeviceId +- devices{}.defenderAvStatus +- devices{}.deviceDnsName +- devices{}.firstSeen +- devices{}.healthStatus +- devices{}.loggedOnUsers{}.accountName +- devices{}.loggedOnUsers{}.domainName +- devices{}.mdatpDeviceId +- devices{}.onboardingStatus +- devices{}.osBuild +- devices{}.osPlatform +- devices{}.osProcessor +- devices{}.rbacGroupName +- devices{}.riskScore +- devices{}.version +- devices{}.vmMetadata +- devices{}.vmMetadata.cloudProvider +- devices{}.vmMetadata.resourceId +- devices{}.vmMetadata.subscriptionId +- devices{}.vmMetadata.vmId +- entities{}.aadUserId +- entities{}.accountName +- entities{}.applicationId +- entities{}.applicationName +- entities{}.detectionStatus +- entities{}.deviceId +- entities{}.domainName +- entities{}.entityType +- entities{}.evidenceCreationTime +- entities{}.fileName +- entities{}.filePath +- entities{}.ipAddress +- entities{}.parentProcessCreationTime +- entities{}.parentProcessFileName +- entities{}.parentProcessFilePath +- entities{}.parentProcessId +- entities{}.processCommandLine +- entities{}.processCreationTime +- entities{}.processId +- entities{}.remediationStatus +- entities{}.remediationStatusDetails +- entities{}.sha1 +- entities{}.sha256 +- entities{}.userPrincipalName +- entities{}.userSid +- entities{}.verdict +- eventtype +- firstActivity +- host +- id +- incidentId +- index +- investigationId +- investigationState +- lastActivity +- lastUpdatedTime +- linecount +- mitreTechniques{} +- mitre_technique_id +- providerAlertId +- resolvedTime +- serviceSource +- severity +- signature +- signature_id +- source +- sourcetype +- splunk_server +- splunk_server_group +- src +- status +- subject +- tag +- tag::app +- tag::eventtype +- threatFamilyName +- timeendpos +- timestartpos +- title +- type +- user +- user_name +- _bkt +- _cd +- _eventtype_color +- _indextime +- _raw +- _serial +- _si +- _sourcetype +- _subsecond +- _time +example_log: | + { + "alertId": "da638001130101730338_582949328", + "providerAlertId": "da638001130101730338_582949328", + "incidentId": 486, + "serviceSource": "MicrosoftDefenderForEndpoint", + "creationTime": "2022-09-30T05:36:50.1732198Z", + "lastUpdatedTime": "2022-11-19T01:35:42.7033333Z", + "resolvedTime": "2022-10-01T01:36:00.5066667Z", + "firstActivity": "2022-09-30T05:06:43.8196597Z", + "lastActivity": "2022-09-30T05:06:43.8196597Z", + "title": "Suspicious URL clicked", + "description": "A user opened a potentially malicious URL. This alert was triggered based on a Microsoft Defender for Office 365 alert.", + "category": "InitialAccess", + "status": "Resolved", + "severity": "High", + "investigationId": null, + "investigationState": "UnsupportedAlertType", + "classification": "TruePositive", + "determination": "SecurityTesting", + "detectionSource": "MTP", + "detectorId": "359b36eb-337c-4f1c-b280-8c5e08f9c4a0", + "assignedTo": "msftadmin@metal.m365dpoc.com", + "actorName": null, + "threatFamilyName": null, + "mitreTechniques": [ + "T1566.002" + ], + "devices": [ + { + "mdatpDeviceId": "c7e147cb0eb3534a4dcea5acb8e61c933713b145", + "aadDeviceId": null, + "deviceDnsName": "metal-win10v.metal.m365dpoc.com", + "osPlatform": "Windows10", + "version": "1809", + "osProcessor": "x64", + "osBuild": 17763, + "healthStatus": "Active", + "riskScore": "High", + "rbacGroupName": "Full Auto Clients", + "firstSeen": "2022-08-08T08:51:02.455Z", + "tags": [ + "Full auto" + ], + "defenderAvStatus": "Updated", + "onboardingStatus": "Onboarded", + "vmMetadata": { + "vmId": "17881b39-b03f-4a2c-9b56-078be1330bd0", + "cloudProvider": "Unknown", + "resourceId": "/subscriptions/29e73d07-8740-4164-a257-592a19a7b77c/resourceGroups/MSDXV2/providers/Microsoft.Compute/virtualMachines/MSDXV2-Win10V", + "subscriptionId": "29e73d07-8740-4164-a257-592a19a7b77c" + }, + "loggedOnUsers": [ + { + "accountName": "hetfield", + "domainName": "MSDXV2" + } + ] + } + ], + "entities": [ + { + "entityType": "Process", + "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z", + "verdict": "Suspicious", + "remediationStatus": "None", + "sha1": "6cbce4a295c163791b60fc23d285e6d84f28ee4c", + "sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c", + "fileName": "powershell.exe", + "filePath": "", + "processId": 7068, + "processCommandLine": "powershell.exe -command \" $Process = New-Object System.Diagnostics.Process; $Process.StartInfo.FileName = 'https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgcajebahdi.corporatelogon.xyz%2Fab%2Fjnkmbkkdnlgedc&data=05%7C01%7Chetfield%40metal.m365dpoc.com%7Cca409616a82145bd6a5f08daa2a10255%7C1a49212958c8401191cd245285f5345c%7C0%7C0%7C638001109710345383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FyEjRS5qOd2SkJELlueibuxLFMYNjL7fz8EbuOAvFwg%3D&reserved=0'; $Process.StartInfo.UseShellExecute = $true; $Process.Start() | Out-Null; \" ", + "processCreationTime": "2022-09-30T05:06:43.3390523Z", + "parentProcessId": 7116, + "parentProcessCreationTime": "2022-09-30T05:06:43.3100364Z", + "accountName": "hetfield", + "userSid": "S-1-5-21-2300221942-1987151257-321556088-1104" + }, + { + "entityType": "File", + "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z", + "verdict": "Suspicious", + "remediationStatus": "None", + "sha1": "6cbce4a295c163791b60fc23d285e6d84f28ee4c", + "sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c", + "fileName": "powershell.exe", + "filePath": "" + }, + { + "entityType": "User", + "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z", + "verdict": "Suspicious", + "remediationStatus": "None", + "accountName": "hetfield", + "domainName": "metal.m365dpoc", + "userSid": "S-1-5-21-2300221942-1987151257-321556088-1104", + "aadUserId": "e848b07a-87af-4448-9979-09f0b809c8d4", + "userPrincipalName": "daftpunk" + }, + { + "entityType": "Url", + "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z", + "verdict": "Suspicious", + "remediationStatus": "None", + "url": "http://gcajebahdi.corporatelogon.xyz/ab/jnkmbkkdnlgedc" + } + ] + } \ No newline at end of file diff --git a/detections/application/crushftp_server_side_template_injection.yml b/detections/application/crushftp_server_side_template_injection.yml index 4031f0bceb..0d5c05dcf5 100644 --- a/detections/application/crushftp_server_side_template_injection.yml +++ b/detections/application/crushftp_server_side_template_injection.yml @@ -15,12 +15,12 @@ references: - https://github.com/airbus-cert/CVE-2024-4040 - https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml index ddfd1f8d42..f029979e1b 100644 --- a/detections/application/detect_distributed_password_spray_attempts.yml +++ b/detections/application/detect_distributed_password_spray_attempts.yml @@ -7,36 +7,9 @@ status: production type: Hunting data_source: - Azure Active Directory Sign-in activity -description: This analytic employs the 3-sigma approach to identify distributed password spray attacks. A - distributed password spray attack is a type of brute force attack where the attacker attempts a few - common passwords against many different accounts, connecting from multiple IP addresses to avoid detection. - By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication - events, providing comprehensive coverage and enhancing security against these attacks. -search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time span=2m - | `drop_dm_object_name("Authentication")` - ```fill out time buckets for 0-count events during entire search length``` - | appendpipe [| timechart limit=0 span=5m count | table _time] - | fillnull value=0 unique_accounts, unique_src - ``` remove duplicate & empty time buckets``` - | sort - total_failures - | dedup _time - ``` Create aggregation field & apply to all null events``` - | eval counter=sourcetype+"__"+signature_id - | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) - ``` 3-sigma detection logic ``` - | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter - | eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3) - | eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_accounts >= upperBoundsrc), 1, 0) - | replace "::ffff:*" with * in src - | where isOutlier=1 - | foreach * - [ eval <> = if(<>="null",null(),<>)] - | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id - | sort - total_failures | `detect_distributed_password_spray_attempts_filter`' -how_to_implement: Ensure that all relevant authentication data is mapped to the Common Information Model (CIM) - and that the src field is populated with the source device information. Additionally, ensure that - fill_nullvalue is set within the security_content_summariesonly macro to include authentication events from - log sources that do not feature the signature_id field in the results. +description: This analytic employs the 3-sigma approach to identify distributed password spray attacks. A distributed password spray attack is a type of brute force attack where the attacker attempts a few common passwords against many different accounts, connecting from multiple IP addresses to avoid detection. By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing comprehensive coverage and enhancing security against these attacks. +search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time span=2m | `drop_dm_object_name("Authentication")` ```fill out time buckets for 0-count events during entire search length``` | appendpipe [| timechart limit=0 span=5m count | table _time] | fillnull value=0 unique_accounts, unique_src ``` remove duplicate & empty time buckets``` | sort - total_failures | dedup _time ``` Create aggregation field & apply to all null events``` | eval counter=sourcetype+"__"+signature_id | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) ``` 3-sigma detection logic ``` | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter | eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3) | eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_accounts >= upperBoundsrc), 1, 0) | replace "::ffff:*" with * in src | where isOutlier=1 | foreach * [ eval <> = if(<>="null",null(),<>)] | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id | sort - total_failures | `detect_distributed_password_spray_attempts_filter`' +how_to_implement: Ensure that all relevant authentication data is mapped to the Common Information Model (CIM) and that the src field is populated with the source device information. Additionally, ensure that fill_nullvalue is set within the security_content_summariesonly macro to include authentication events from log sources that do not feature the signature_id field in the results. known_false_positives: It is common to see a spike of legitimate failed authentication events on monday mornings. references: - https://attack.mitre.org/techniques/T1110/003/ @@ -72,10 +45,10 @@ tags: - Authentication.user - Authentication.src security_domain: access - manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detetion. + manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detetion. tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log source: azure:monitor:aad - sourcetype: azure:monitor:aad \ No newline at end of file + sourcetype: azure:monitor:aad diff --git a/detections/application/detect_new_login_attempts_to_routers.yml b/detections/application/detect_new_login_attempts_to_routers.yml index 57008d18f1..1177fe653b 100644 --- a/detections/application/detect_new_login_attempts_to_routers.yml +++ b/detections/application/detect_new_login_attempts_to_routers.yml @@ -5,23 +5,10 @@ date: '2024-10-17' author: Bhavin Patel, Splunk status: experimental type: TTP -description: The following analytic identifies new login attempts to routers. It leverages - authentication logs from the ES Assets and Identity Framework, focusing on assets - categorized as routers. The detection flags connections that have not been observed - in the past 30 days. This activity is significant because unauthorized access to - routers can lead to network disruptions or data interception. If confirmed malicious, - attackers could gain control over network traffic, potentially leading to data breaches - or further network compromise. +description: The following analytic identifies new login attempts to routers. It leverages authentication logs from the ES Assets and Identity Framework, focusing on assets categorized as routers. The detection flags connections that have not been observed in the past 30 days. This activity is significant because unauthorized access to routers can lead to network disruptions or data interception. If confirmed malicious, attackers could gain control over network traffic, potentially leading to data breaches or further network compromise. data_source: [] -search: '| tstats `security_content_summariesonly` count earliest(_time) as earliest - latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router - by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(), - "-30d@d"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)` - | `drop_dm_object_name("Authentication")` | `detect_new_login_attempts_to_routers_filter`' -how_to_implement: To successfully implement this search, you must ensure the network - router devices are categorized as "router" in the Assets and identity table. You - must also populate the Authentication data model with logs related to users authenticating - to routing infrastructure. +search: '| tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(), "-30d@d"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `drop_dm_object_name("Authentication")` | `detect_new_login_attempts_to_routers_filter`' +how_to_implement: To successfully implement this search, you must ensure the network router devices are categorized as "router" in the Assets and identity table. You must also populate the Authentication data model with logs related to users authenticating to routing infrastructure. known_false_positives: Legitimate router connections may appear as new connections references: [] tags: diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml index b6b919bdcd..e90f4e889d 100644 --- a/detections/application/detect_password_spray_attempts.yml +++ b/detections/application/detect_password_spray_attempts.yml @@ -14,12 +14,12 @@ known_false_positives: Unknown references: - https://attack.mitre.org/techniques/T1110/003/ drilldown_searches: -- name: View the detection results for $sourcetype$ - search: '%original_detection_search% | search sourcetype = $sourcetype$' +- name: View the detection results for - "$sourcetype$" + search: '%original_detection_search% | search sourcetype = "$sourcetype$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $sourcetype$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($sourcetype$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$sourcetype$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$sourcetype$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/email_attachments_with_lots_of_spaces.yml b/detections/application/email_attachments_with_lots_of_spaces.yml index 91d418cd03..a25822aab7 100644 --- a/detections/application/email_attachments_with_lots_of_spaces.yml +++ b/detections/application/email_attachments_with_lots_of_spaces.yml @@ -5,37 +5,14 @@ date: '2024-10-17' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects email attachments with an unusually high - number of spaces in their file names, which is a common tactic used by attackers - to obfuscate file extensions. It leverages the Email data model to identify attachments - where the ratio of spaces to the total file name length exceeds 10%. This behavior - is significant as it may indicate an attempt to bypass security filters and deliver - malicious payloads. If confirmed malicious, this activity could lead to the execution - of harmful code or unauthorized access to sensitive information within the recipient's - environment. +description: The following analytic detects email attachments with an unusually high number of spaces in their file names, which is a common tactic used by attackers to obfuscate file extensions. It leverages the Email data model to identify attachments where the ratio of spaces to the total file name length exceeds 10%. This behavior is significant as it may indicate an attempt to bypass security filters and deliver malicious payloads. If confirmed malicious, this activity could lead to the execution of harmful code or unauthorized access to sensitive information within the recipient's environment. data_source: [] -search: '| tstats `security_content_summariesonly` count values(All_Email.recipient) - as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email - where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` - | eval space_ratio = (mvcount(split(file_name," "))-1)/len(file_name) | search space_ratio - >= 0.1 | rex field=recipient_address "(?.*)@" | `email_attachments_with_lots_of_spaces_filter`' -how_to_implement: 'You need to ingest data from emails. Specifically, the sender''s - address and the file names of any attachments must be mapped to the Email data model. - The threshold ratio is set to 10%, but this value can be configured to suit each - environment. +search: '| tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | eval space_ratio = (mvcount(split(file_name," "))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address "(?.*)@" | `email_attachments_with_lots_of_spaces_filter`' +how_to_implement: 'You need to ingest data from emails. Specifically, the sender''s address and the file names of any attachments must be mapped to the Email data model. The threshold ratio is set to 10%, but this value can be configured to suit each environment. **Splunk Phantom Playbook Integration** - If Splunk Phantom is also configured in your environment, a playbook called "Suspicious - Email Attachment Investigate and Delete" can be configured to run when any results - are found by this detection search. To use this integration, install the Phantom - App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname - to the "Phantom Instance" field in the Adaptive Response Actions when configuring - this detection search. The notable event will be sent to Phantom and the playbook - will gather further information about the file attachment and its network behaviors. - If Phantom finds malicious behavior and an analyst approves of the results, the - email will be deleted from the user''s inbox.' + If Splunk Phantom is also configured in your environment, a playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user''s inbox.' known_false_positives: None at this time references: [] tags: diff --git a/detections/application/email_files_written_outside_of_the_outlook_directory.yml b/detections/application/email_files_written_outside_of_the_outlook_directory.yml index c3cdb4f5dd..b30ba515aa 100644 --- a/detections/application/email_files_written_outside_of_the_outlook_directory.yml +++ b/detections/application/email_files_written_outside_of_the_outlook_directory.yml @@ -5,32 +5,12 @@ date: '2024-10-17' author: Bhavin Patel, Splunk status: experimental type: TTP -description: The following analytic detects email files (.pst or .ost) being created - outside the standard Outlook directories. It leverages the Endpoint.Filesystem data - model to identify file creation events and filters for email files not located in - "C:\Users\*\My Documents\Outlook Files\*" or "C:\Users\*\AppData\Local\Microsoft\Outlook*". - This activity is significant as it may indicate data exfiltration or unauthorized - access to email data. If confirmed malicious, an attacker could potentially access - sensitive email content, leading to data breaches or further exploitation within - the network. +description: The following analytic detects email files (.pst or .ost) being created outside the standard Outlook directories. It leverages the Endpoint.Filesystem data model to identify file creation events and filters for email files not located in "C:\Users\*\My Documents\Outlook Files\*" or "C:\Users\*\AppData\Local\Microsoft\Outlook*". This activity is significant as it may indicate data exfiltration or unauthorized access to email data. If confirmed malicious, an attacker could potentially access sensitive email content, leading to data breaches or further exploitation within the network. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count values(Filesystem.file_path) - as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem - where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path - != "C:\\Users\\*\\My Documents\\Outlook Files\\*" Filesystem.file_path!="C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*" - by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest - | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `email_files_written_outside_of_the_outlook_directory_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data - that records the file-system activity from your hosts to populate the Endpoint.Filesystem - data model node. This is typically populated via endpoint detection-and-response - product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. - The data used for this search is typically generated via logs that report file-system - reads and writes. -known_false_positives: Administrators and users sometimes prefer backing up their - email data by moving the email files into a different folder. These attempts will - be detected by the search. +search: '| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path != "C:\\Users\\*\\My Documents\\Outlook Files\\*" Filesystem.file_path!="C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `email_files_written_outside_of_the_outlook_directory_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes. +known_false_positives: Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search. references: [] tags: analytic_story: diff --git a/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml b/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml index 1317f01a8f..d978a5a014 100644 --- a/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml +++ b/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml @@ -5,38 +5,11 @@ date: '2024-10-17' author: Bhavin Patel, Splunk status: experimental type: Anomaly -description: The following analytic identifies a significant increase in data transfers - from your email server to client hosts. It leverages the Network_Traffic data model - to monitor outbound traffic from email servers, using statistical analysis to detect - anomalies based on average and standard deviation metrics. This activity is significant - as it may indicate a malicious actor exfiltrating data via your email server. If - confirmed malicious, this could lead to unauthorized data access and potential data - breaches, compromising sensitive information and impacting organizational security. +description: The following analytic identifies a significant increase in data transfers from your email server to client hosts. It leverages the Network_Traffic data model to monitor outbound traffic from email servers, using statistical analysis to detect anomalies based on average and standard deviation metrics. This activity is significant as it may indicate a malicious actor exfiltrating data via your email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security. data_source: [] -search: '| tstats `security_content_summariesonly` sum(All_Traffic.bytes_out) as bytes_out - from datamodel=Network_Traffic where All_Traffic.src_category=email_server by All_Traffic.dest_ip - _time span=1d | `drop_dm_object_name("All_Traffic")` | eventstats avg(bytes_out) - as avg_bytes_out stdev(bytes_out) as stdev_bytes_out | eventstats count as num_data_samples - avg(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_avg_bytes_out - stdev(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_stdev_bytes_out - by dest_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples - >= minimum_data_samples AND bytes_out > (avg_bytes_out + (deviation_threshold * - stdev_bytes_out)) AND bytes_out > (per_source_avg_bytes_out + (deviation_threshold - * per_source_stdev_bytes_out)) AND _time >= relative_time(now(), "@d") | eval num_standard_deviations_away_from_server_average - = round(abs(bytes_out - avg_bytes_out) / stdev_bytes_out, 2), num_standard_deviations_away_from_client_average - = round(abs(bytes_out - per_source_avg_bytes_out) / per_source_stdev_bytes_out, - 2) | table dest_ip, _time, bytes_out, avg_bytes_out, per_source_avg_bytes_out, num_standard_deviations_away_from_server_average, - num_standard_deviations_away_from_client_average | `email_servers_sending_high_volume_traffic_to_hosts_filter`' -how_to_implement: This search requires you to be ingesting your network traffic and - populating the Network_Traffic data model. Your email servers must be categorized - as "email_server" for the search to work, as well. You may need to adjust the deviation_threshold - and minimum_data_samples values based on the network traffic in your environment. - The "deviation_threshold" field is a multiplying factor to control how much variation - you're willing to tolerate. The "minimum_data_samples" field is the minimum number - of connections of data samples required for the statistic to be valid. -known_false_positives: The false-positive rate will vary based on how you set the - deviation_threshold and data_samples values. Our recommendation is to adjust these - values based on your network traffic to and from your email servers. +search: '| tstats `security_content_summariesonly` sum(All_Traffic.bytes_out) as bytes_out from datamodel=Network_Traffic where All_Traffic.src_category=email_server by All_Traffic.dest_ip _time span=1d | `drop_dm_object_name("All_Traffic")` | eventstats avg(bytes_out) as avg_bytes_out stdev(bytes_out) as stdev_bytes_out | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_avg_bytes_out stdev(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_stdev_bytes_out by dest_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_out > (avg_bytes_out + (deviation_threshold * stdev_bytes_out)) AND bytes_out > (per_source_avg_bytes_out + (deviation_threshold * per_source_stdev_bytes_out)) AND _time >= relative_time(now(), "@d") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_out - avg_bytes_out) / stdev_bytes_out, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_out - per_source_avg_bytes_out) / per_source_stdev_bytes_out, 2) | table dest_ip, _time, bytes_out, avg_bytes_out, per_source_avg_bytes_out, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `email_servers_sending_high_volume_traffic_to_hosts_filter`' +how_to_implement: This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as "email_server" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The "deviation_threshold" field is a multiplying factor to control how much variation you're willing to tolerate. The "minimum_data_samples" field is the minimum number of connections of data samples required for the statistic to be valid. +known_false_positives: The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers. references: [] tags: analytic_story: diff --git a/detections/application/ivanti_vtm_new_account_creation.yml b/detections/application/ivanti_vtm_new_account_creation.yml index b19b2f88a1..800c5cd88c 100644 --- a/detections/application/ivanti_vtm_new_account_creation.yml +++ b/detections/application/ivanti_vtm_new_account_creation.yml @@ -15,12 +15,12 @@ references: - https://www.ivanti.com/security/security-advisories/ivanti-virtual-traffic-manager-vtm-cve-2024-7593 - https://nvd.nist.gov/vuln/detail/CVE-2024-7593 drilldown_searches: -- name: View the detection results for $MODUSER$ - search: '%original_detection_search% | search MODUSER = $MODUSER$' +- name: View the detection results for - "$MODUSER$" + search: '%original_detection_search% | search MODUSER = "$MODUSER$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $MODUSER$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($MODUSER$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$MODUSER$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$MODUSER$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/monitor_email_for_brand_abuse.yml b/detections/application/monitor_email_for_brand_abuse.yml index 560011e04a..3ecae133f8 100644 --- a/detections/application/monitor_email_for_brand_abuse.yml +++ b/detections/application/monitor_email_for_brand_abuse.yml @@ -5,25 +5,10 @@ date: '2024-10-17' author: David Dorsey, Splunk status: experimental type: TTP -description: The following analytic identifies emails claiming to be sent from a domain - similar to one you are monitoring for potential abuse. It leverages email header - data, specifically the sender's address, and cross-references it with a lookup table - of known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. - This activity is significant as it can indicate phishing attempts or brand impersonation, - which are common tactics used in social engineering attacks. If confirmed malicious, - this could lead to unauthorized access, data theft, or reputational damage. +description: The following analytic identifies emails claiming to be sent from a domain similar to one you are monitoring for potential abuse. It leverages email header data, specifically the sender's address, and cross-references it with a lookup table of known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. This activity is significant as it can indicate phishing attempts or brand impersonation, which are common tactics used in social engineering attacks. If confirmed malicious, this could lead to unauthorized access, data theft, or reputational damage. data_source: [] -search: '| tstats `security_content_summariesonly` values(All_Email.recipient) as - recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email - by All_Email.src_user, All_Email.message_id | `drop_dm_object_name("All_Email")` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval - temp=split(src_user, "@") | eval email_domain=mvindex(temp, 1) | lookup update=true - brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true - | table message_id, src_user, email_domain, recipients, firstTime, lastTime | `monitor_email_for_brand_abuse_filter`' -how_to_implement: You need to ingest email header data. Specifically the sender's - address (src_user) must be populated. You also need to have run the search "ESCU - - DNSTwist Domain Names", which creates the permutations of the domain that will - be checked for. +search: '| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id | `drop_dm_object_name("All_Email")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval temp=split(src_user, "@") | eval email_domain=mvindex(temp, 1) | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true | table message_id, src_user, email_domain, recipients, firstTime, lastTime | `monitor_email_for_brand_abuse_filter`' +how_to_implement: You need to ingest email header data. Specifically the sender's address (src_user) must be populated. You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for. known_false_positives: None at this time references: [] tags: diff --git a/detections/application/no_windows_updates_in_a_time_frame.yml b/detections/application/no_windows_updates_in_a_time_frame.yml index f97db3b26b..3e5cbbfab8 100644 --- a/detections/application/no_windows_updates_in_a_time_frame.yml +++ b/detections/application/no_windows_updates_in_a_time_frame.yml @@ -5,28 +5,10 @@ date: '2024-10-17' author: Bhavin Patel, Splunk status: experimental type: Hunting -description: The following analytic identifies Windows endpoints that have not generated - an event indicating a successful Windows update in the last 60 days. It leverages - the 'Update' data model in Splunk, specifically looking for the latest 'Installed' - status events from Microsoft Windows. This activity is significant for a SOC because - endpoints that are not regularly patched are vulnerable to known exploits and security - vulnerabilities. If confirmed malicious, this could indicate a compromised endpoint - that is intentionally being kept unpatched, potentially allowing attackers to exploit - unpatched vulnerabilities and gain unauthorized access or control. +description: The following analytic identifies Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. It leverages the 'Update' data model in Splunk, specifically looking for the latest 'Installed' status events from Microsoft Windows. This activity is significant for a SOC because endpoints that are not regularly patched are vulnerable to known exploits and security vulnerabilities. If confirmed malicious, this could indicate a compromised endpoint that is intentionally being kept unpatched, potentially allowing attackers to exploit unpatched vulnerabilities and gain unauthorized access or control. data_source: [] -search: '| tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates - where Updates.status=Installed Updates.vendor_product="Microsoft Windows" by Updates.dest - Updates.status Updates.vendor_product | rename Updates.dest as Host | rename Updates.status - as "Update Status" | rename Updates.vendor_product as Product | eval isOutlier=if(lastTime - <= relative_time(now(), "-60d@d"), 1, 0) | `security_content_ctime(lastTime)` | - search isOutlier=1 | rename lastTime as "Last Update Time", | table Host, "Update - Status", Product, "Last Update Time" | `no_windows_updates_in_a_time_frame_filter`' -how_to_implement: To successfully implement this search, it requires that the 'Update' - data model is being populated. This can be accomplished by ingesting Windows events - or the Windows Update log via a universal forwarder on the Windows endpoints you - wish to monitor. The Windows add-on should be also be installed and configured to - properly parse Windows events in Splunk. There may be other data sources which can - populate this data model, including vulnerability management systems. +search: '| tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates where Updates.status=Installed Updates.vendor_product="Microsoft Windows" by Updates.dest Updates.status Updates.vendor_product | rename Updates.dest as Host | rename Updates.status as "Update Status" | rename Updates.vendor_product as Product | eval isOutlier=if(lastTime <= relative_time(now(), "-60d@d"), 1, 0) | `security_content_ctime(lastTime)` | search isOutlier=1 | rename lastTime as "Last Update Time", | table Host, "Update Status", Product, "Last Update Time" | `no_windows_updates_in_a_time_frame_filter`' +how_to_implement: To successfully implement this search, it requires that the 'Update' data model is being populated. This can be accomplished by ingesting Windows events or the Windows Update log via a universal forwarder on the Windows endpoints you wish to monitor. The Windows add-on should be also be installed and configured to properly parse Windows events in Splunk. There may be other data sources which can populate this data model, including vulnerability management systems. known_false_positives: None identified references: [] tags: diff --git a/detections/application/okta_authentication_failed_during_mfa_challenge.yml b/detections/application/okta_authentication_failed_during_mfa_challenge.yml index d773494da9..22fa5d249f 100644 --- a/detections/application/okta_authentication_failed_during_mfa_challenge.yml +++ b/detections/application/okta_authentication_failed_during_mfa_challenge.yml @@ -15,12 +15,12 @@ references: - https://sec.okta.com/everythingisyes - https://splunkbase.splunk.com/app/6553 drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/okta_idp_lifecycle_modifications.yml b/detections/application/okta_idp_lifecycle_modifications.yml index d687f569ef..a8530426c8 100644 --- a/detections/application/okta_idp_lifecycle_modifications.yml +++ b/detections/application/okta_idp_lifecycle_modifications.yml @@ -15,12 +15,12 @@ references: - https://www.obsidiansecurity.com/blog/behind-the-breach-cross-tenant-impersonation-in-okta/ - https://splunkbase.splunk.com/app/6553 drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/okta_mfa_exhaustion_hunt.yml b/detections/application/okta_mfa_exhaustion_hunt.yml index e1c04a3fc8..6ee99861d9 100644 --- a/detections/application/okta_mfa_exhaustion_hunt.yml +++ b/detections/application/okta_mfa_exhaustion_hunt.yml @@ -5,33 +5,12 @@ date: '2024-10-17' author: Michael Haag, Marissa Bower, Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects patterns of successful and failed Okta - MFA push attempts to identify potential MFA exhaustion attacks. It leverages Okta - event logs, specifically focusing on push verification events, and uses statistical - evaluations to determine suspicious activity. This activity is significant as it - may indicate an attacker attempting to bypass MFA by overwhelming the user with - push notifications. If confirmed malicious, this could lead to unauthorized access, - compromising the security of the affected accounts and potentially the entire environment. -data_source: +description: The following analytic detects patterns of successful and failed Okta MFA push attempts to identify potential MFA exhaustion attacks. It leverages Okta event logs, specifically focusing on push verification events, and uses statistical evaluations to determine suspicious activity. This activity is significant as it may indicate an attacker attempting to bypass MFA by overwhelming the user with push notifications. If confirmed malicious, this could lead to unauthorized access, compromising the security of the affected accounts and potentially the entire environment. +data_source: - Okta -search: '`okta` eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success) - AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail) - AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) | stats count(eval(legacyEventType="core.user.factor.attempt_success")) as - successes count(eval(legacyEventType="core.user.factor.attempt_fail")) as failures - count(eval(eventType="system.push.send_factor_verify_push")) as pushes by user,_time - | stats latest(_time) as lasttime earliest(_time) as firsttime sum(successes) as - successes sum(failures) as failures sum(pushes) as pushes by user | eval seconds=lasttime-firsttime - | eval lasttime=strftime(lasttime, "%c") | search (pushes>1) | eval totalattempts=successes+failures - | eval finding="Normal authentication pattern" | eval finding=if(failures==pushes - AND pushes>1,"Authentication attempts not successful because multiple pushes denied",finding) - | eval finding=if(totalattempts==0,"Multiple pushes sent and ignored",finding) | - eval finding=if(successes>0 AND pushes>3,"Probably should investigate. Multiple - pushes sent, eventual successful authentication!",finding) | `okta_mfa_exhaustion_hunt_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the - Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: False positives may be present. Tune Okta and tune the analytic - to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning - is complete. +search: '`okta` eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) | stats count(eval(legacyEventType="core.user.factor.attempt_success")) as successes count(eval(legacyEventType="core.user.factor.attempt_fail")) as failures count(eval(eventType="system.push.send_factor_verify_push")) as pushes by user,_time | stats latest(_time) as lasttime earliest(_time) as firsttime sum(successes) as successes sum(failures) as failures sum(pushes) as pushes by user | eval seconds=lasttime-firsttime | eval lasttime=strftime(lasttime, "%c") | search (pushes>1) | eval totalattempts=successes+failures | eval finding="Normal authentication pattern" | eval finding=if(failures==pushes AND pushes>1,"Authentication attempts not successful because multiple pushes denied",finding) | eval finding=if(totalattempts==0,"Multiple pushes sent and ignored",finding) | eval finding=if(successes>0 AND pushes>3,"Probably should investigate. Multiple pushes sent, eventual successful authentication!",finding) | `okta_mfa_exhaustion_hunt_filter`' +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete. references: - https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock - https://sec.okta.com/everythingisyes @@ -66,7 +45,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.log source: Okta sourcetype: OktaIM2:log diff --git a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml index 39a87ca9cb..7833aa0843 100644 --- a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml +++ b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml @@ -5,40 +5,12 @@ date: '2024-10-17' author: John Murphy and Jordan Ruocco, Okta, Michael Haag, Splunk type: TTP status: experimental -data_source: +data_source: - Okta -description: 'The following analytic identifies discrepancies between the source and - response events for Okta Verify Push requests, indicating potential suspicious behavior. - It leverages Okta System Log events, specifically `system.push.send_factor_verify_push` - and `user.authentication.auth_via_mfa` with the factor "OKTA_VERIFY_PUSH." The detection - groups events by SessionID, calculates the ratio of successful sign-ins to push - requests, and checks for session roaming and new device/IP usage. This activity - is significant as it may indicate push spam or unauthorized access attempts. If - confirmed malicious, attackers could bypass MFA, leading to unauthorized access - to sensitive systems.' -search: '`okta` eventType IN (system.push.send_factor_verify_push) OR (eventType IN - (user.authentication.auth_via_mfa) debugContext.debugData.factor="OKTA_VERIFY_PUSH") - | eval groupby="authenticationContext.externalSessionId" | eval group_push_time=_time - | bin span=2s group_push_time | fillnull value=NULL | stats min(_time) as _time - by authenticationContext.externalSessionId eventType debugContext.debugData.factor - outcome.result actor.alternateId client.device client.ipAddress client.userAgent.rawUserAgent - debugContext.debugData.behaviors group_push_time groupby | iplocation client.ipAddress - | fields - lat, lon, group_push_time | stats min(_time) as _time dc(client.ipAddress) - as dc_ip sum(eval(if(eventType="system.push.send_factor_verify_push" AND "outcome.result"="SUCCESS",1,0))) - as total_pushes sum(eval(if(eventType="user.authentication.auth_via_mfa" AND "outcome.result"="SUCCESS",1,0))) - as total_successes sum(eval(if(eventType="user.authentication.auth_via_mfa" AND - "outcome.result"="FAILURE",1,0))) as total_rejected sum(eval(if(eventType="system.push.send_factor_verify_push" - AND "debugContext.debugData.behaviors" LIKE "%New Device=POSITIVE%",1,0))) as suspect_device_from_source - sum(eval(if(eventType="system.push.send_factor_verify_push" AND "debugContext.debugData.behaviors" - LIKE "%New IP=POSITIVE%",0,0))) as suspect_ip_from_source values(eval(if(eventType="system.push.send_factor_verify_push","client.ipAddress",""))) - as src values(eval(if(eventType="user.authentication.auth_via_mfa","client.ipAddress",""))) - as dest values(*) as * by groupby | eval ratio = round(total_successes/total_pushes,2) - | search ((ratio < 0.5 AND total_pushes > 1) OR (total_rejected > 0)) AND dc_ip - > 1 AND suspect_device_from_source > 0 AND suspect_ip_from_source > 0 | `okta_mismatch_between_source_and_response_for_verify_push_request_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the - Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: False positives may be present based on organization size and - configuration of Okta. Monitor, tune and filter as needed. +description: The following analytic identifies discrepancies between the source and response events for Okta Verify Push requests, indicating potential suspicious behavior. It leverages Okta System Log events, specifically `system.push.send_factor_verify_push` and `user.authentication.auth_via_mfa` with the factor "OKTA_VERIFY_PUSH." The detection groups events by SessionID, calculates the ratio of successful sign-ins to push requests, and checks for session roaming and new device/IP usage. This activity is significant as it may indicate push spam or unauthorized access attempts. If confirmed malicious, attackers could bypass MFA, leading to unauthorized access to sensitive systems. +search: '`okta` eventType IN (system.push.send_factor_verify_push) OR (eventType IN (user.authentication.auth_via_mfa) debugContext.debugData.factor="OKTA_VERIFY_PUSH") | eval groupby="authenticationContext.externalSessionId" | eval group_push_time=_time | bin span=2s group_push_time | fillnull value=NULL | stats min(_time) as _time by authenticationContext.externalSessionId eventType debugContext.debugData.factor outcome.result actor.alternateId client.device client.ipAddress client.userAgent.rawUserAgent debugContext.debugData.behaviors group_push_time groupby | iplocation client.ipAddress | fields - lat, lon, group_push_time | stats min(_time) as _time dc(client.ipAddress) as dc_ip sum(eval(if(eventType="system.push.send_factor_verify_push" AND "outcome.result"="SUCCESS",1,0))) as total_pushes sum(eval(if(eventType="user.authentication.auth_via_mfa" AND "outcome.result"="SUCCESS",1,0))) as total_successes sum(eval(if(eventType="user.authentication.auth_via_mfa" AND "outcome.result"="FAILURE",1,0))) as total_rejected sum(eval(if(eventType="system.push.send_factor_verify_push" AND "debugContext.debugData.behaviors" LIKE "%New Device=POSITIVE%",1,0))) as suspect_device_from_source sum(eval(if(eventType="system.push.send_factor_verify_push" AND "debugContext.debugData.behaviors" LIKE "%New IP=POSITIVE%",0,0))) as suspect_ip_from_source values(eval(if(eventType="system.push.send_factor_verify_push","client.ipAddress",""))) as src values(eval(if(eventType="user.authentication.auth_via_mfa","client.ipAddress",""))) as dest values(*) as * by groupby | eval ratio = round(total_successes/total_pushes,2) | search ((ratio < 0.5 AND total_pushes > 1) OR (total_rejected > 0)) AND dc_ip > 1 AND suspect_device_from_source > 0 AND suspect_ip_from_source > 0 | `okta_mismatch_between_source_and_response_for_verify_push_request_filter`' +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: False positives may be present based on organization size and configuration of Okta. Monitor, tune and filter as needed. references: - https://attack.mitre.org/techniques/T1621 - https://splunkbase.splunk.com/app/6553 @@ -49,8 +21,7 @@ tags: asset_type: Okta Tenant confidence: 80 impact: 80 - message: A mismatch between source and response for verifying a push request has - occurred for $actor.alternateId$ + message: A mismatch between source and response for verifying a push request has occurred for $actor.alternateId$ mitre_attack_id: - T1621 observable: diff --git a/detections/application/okta_multi_factor_authentication_disabled.yml b/detections/application/okta_multi_factor_authentication_disabled.yml index 76bd6a77bd..328f02f3e7 100644 --- a/detections/application/okta_multi_factor_authentication_disabled.yml +++ b/detections/application/okta_multi_factor_authentication_disabled.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1556/ - https://splunkbase.splunk.com/app/6553 drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/okta_multiple_accounts_locked_out.yml b/detections/application/okta_multiple_accounts_locked_out.yml index 2d82fbfa6d..c52dab5f39 100644 --- a/detections/application/okta_multiple_accounts_locked_out.yml +++ b/detections/application/okta_multiple_accounts_locked_out.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1110/ - https://splunkbase.splunk.com/app/6553 drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml index 37dcd99465..2c8978c81a 100644 --- a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml +++ b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml @@ -14,12 +14,12 @@ known_false_positives: Multiple Failed MFA requests may also be a sign of authen references: - https://attack.mitre.org/techniques/T1621/ drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/okta_multiple_failed_requests_to_access_applications.yml b/detections/application/okta_multiple_failed_requests_to_access_applications.yml index 06a019d80f..55e920f461 100644 --- a/detections/application/okta_multiple_failed_requests_to_access_applications.yml +++ b/detections/application/okta_multiple_failed_requests_to_access_applications.yml @@ -5,35 +5,12 @@ date: '2024-10-17' author: John Murphy, Okta, Michael Haag, Splunk type: Hunting status: experimental -data_source: +data_source: - Okta -description: 'The following analytic detects multiple failed attempts to access applications - in Okta, potentially indicating the reuse of a stolen web session cookie. It leverages - Okta logs to evaluate policy and SSO events, aggregating data by user, session, - and IP. The detection triggers when more than half of the app sign-on attempts are - unsuccessful across multiple applications. This activity is significant as it may - indicate an attempt to bypass authentication mechanisms. If confirmed malicious, - it could lead to unauthorized access to sensitive applications and data, posing - a significant security risk.' -search: '`okta` target{}.type=AppInstance (eventType=policy.evaluate_sign_on outcome.result=CHALLENGE) - OR (eventType=user.authentication.sso outcome.result=SUCCESS) | eval targets=mvzip(''target{}.type'', - ''target{}.displayName'', ": ") | eval targets=mvfilter(targets LIKE "AppInstance%") - | stats count min(_time) as _time values(outcome.result) as outcome.result dc(eval(if(eventType="policy.evaluate_sign_on",targets,NULL))) - as total_challenges sum(eval(if(eventType="user.authentication.sso",1,0))) as total_successes - by authenticationContext.externalSessionId targets actor.alternateId client.ipAddress - | search total_challenges > 0 | stats min(_time) as _time values(*) as * sum(total_challenges) - as total_challenges sum(total_successes) as total_successes values(eval(if("outcome.result"="SUCCESS",targets,NULL))) - as success_apps values(eval(if(":outcome.result"!="SUCCESS",targets,NULL))) as no_success_apps - by authenticationContext.externalSessionId actor.alternateId client.ipAddress | - fillnull | eval ratio=round(total_successes/total_challenges,2), severity="HIGH", - mitre_technique_id="T1538", description="actor.alternateId". " from " . "client.ipAddress" - . " seen opening " . total_challenges . " chiclets/apps with " . total_successes - . " challenges successfully passed" | fields - count, targets | search ratio < 0.5 - total_challenges > 2 | `okta_multiple_failed_requests_to_access_applications_filter`' -how_to_implement: This analytic is specific to Okta and requires Okta:im2 logs to - be ingested. -known_false_positives: False positives may be present based on organization size and - configuration of Okta. +description: The following analytic detects multiple failed attempts to access applications in Okta, potentially indicating the reuse of a stolen web session cookie. It leverages Okta logs to evaluate policy and SSO events, aggregating data by user, session, and IP. The detection triggers when more than half of the app sign-on attempts are unsuccessful across multiple applications. This activity is significant as it may indicate an attempt to bypass authentication mechanisms. If confirmed malicious, it could lead to unauthorized access to sensitive applications and data, posing a significant security risk. +search: '`okta` target{}.type=AppInstance (eventType=policy.evaluate_sign_on outcome.result=CHALLENGE) OR (eventType=user.authentication.sso outcome.result=SUCCESS) | eval targets=mvzip(''target{}.type'', ''target{}.displayName'', ": ") | eval targets=mvfilter(targets LIKE "AppInstance%") | stats count min(_time) as _time values(outcome.result) as outcome.result dc(eval(if(eventType="policy.evaluate_sign_on",targets,NULL))) as total_challenges sum(eval(if(eventType="user.authentication.sso",1,0))) as total_successes by authenticationContext.externalSessionId targets actor.alternateId client.ipAddress | search total_challenges > 0 | stats min(_time) as _time values(*) as * sum(total_challenges) as total_challenges sum(total_successes) as total_successes values(eval(if("outcome.result"="SUCCESS",targets,NULL))) as success_apps values(eval(if(":outcome.result"!="SUCCESS",targets,NULL))) as no_success_apps by authenticationContext.externalSessionId actor.alternateId client.ipAddress | fillnull | eval ratio=round(total_successes/total_challenges,2), severity="HIGH", mitre_technique_id="T1538", description="actor.alternateId". " from " . "client.ipAddress" . " seen opening " . total_challenges . " chiclets/apps with " . total_successes . " challenges successfully passed" | fields - count, targets | search ratio < 0.5 total_challenges > 2 | `okta_multiple_failed_requests_to_access_applications_filter`' +how_to_implement: This analytic is specific to Okta and requires Okta:im2 logs to be ingested. +known_false_positives: False positives may be present based on organization size and configuration of Okta. references: - https://attack.mitre.org/techniques/T1538 - https://attack.mitre.org/techniques/T1550/004 diff --git a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml index 4f0558a7f1..ef0695c6d9 100644 --- a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1110/003/ - https://splunkbase.splunk.com/app/6553 drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/okta_new_api_token_created.yml b/detections/application/okta_new_api_token_created.yml index 24d54cd656..efc52c59fb 100644 --- a/detections/application/okta_new_api_token_created.yml +++ b/detections/application/okta_new_api_token_created.yml @@ -15,12 +15,12 @@ references: - https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected - https://splunkbase.splunk.com/app/6553 drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/okta_new_device_enrolled_on_account.yml b/detections/application/okta_new_device_enrolled_on_account.yml index eced83c102..f22e0a0020 100644 --- a/detections/application/okta_new_device_enrolled_on_account.yml +++ b/detections/application/okta_new_device_enrolled_on_account.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1098/005/ - https://developer.okta.com/docs/reference/api/event-types/?q=device.enrollment.create drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml b/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml index acc66fb4e9..65f1958031 100644 --- a/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml +++ b/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml @@ -5,25 +5,12 @@ date: '2024-10-17' author: Okta, Inc, Michael Haag, Splunk type: TTP status: experimental -data_source: +data_source: - Okta -description: The following analytic identifies failed user authentication attempts - in Okta due to FastPass declining a phishing attempt. It leverages Okta logs, specifically - looking for events where multi-factor authentication (MFA) fails with the reason - "FastPass declined phishing attempt." This activity is significant as it indicates - that attackers are targeting users with real-time phishing proxies, attempting to - capture credentials. If confirmed malicious, this could lead to unauthorized access - to user accounts, potentially compromising sensitive information and furthering - lateral movement within the organization. -search: '`okta` eventType="user.authentication.auth_via_mfa" AND result="FAILURE" - AND outcome.reason="FastPass declined phishing attempt" | stats count min(_time) - as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent - client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | - `security_content_ctime(lastTime)` | `okta_phishing_detection_with_fastpass_origin_check_filter`' -how_to_implement: This search is specific to Okta and requires Okta logs to be ingested - in your Splunk deployment. -known_false_positives: Fidelity of this is high as Okta is specifying malicious infrastructure. - Filter and modify as needed. +description: The following analytic identifies failed user authentication attempts in Okta due to FastPass declining a phishing attempt. It leverages Okta logs, specifically looking for events where multi-factor authentication (MFA) fails with the reason "FastPass declined phishing attempt." This activity is significant as it indicates that attackers are targeting users with real-time phishing proxies, attempting to capture credentials. If confirmed malicious, this could lead to unauthorized access to user accounts, potentially compromising sensitive information and furthering lateral movement within the organization. +search: '`okta` eventType="user.authentication.auth_via_mfa" AND result="FAILURE" AND outcome.reason="FastPass declined phishing attempt" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_phishing_detection_with_fastpass_origin_check_filter`' +how_to_implement: This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment. +known_false_positives: Fidelity of this is high as Okta is specifying malicious infrastructure. Filter and modify as needed. references: - https://sec.okta.com/fastpassphishingdetection tags: diff --git a/detections/application/okta_risk_threshold_exceeded.yml b/detections/application/okta_risk_threshold_exceeded.yml index 06ff685f0c..c360e4a827 100644 --- a/detections/application/okta_risk_threshold_exceeded.yml +++ b/detections/application/okta_risk_threshold_exceeded.yml @@ -15,12 +15,12 @@ references: - https://developer.okta.com/docs/reference/api/event-types - https://sec.okta.com/everythingisyes drilldown_searches: -- name: View the detection results for $risk_object$ - search: '%original_detection_search% | search risk_object = $risk_object$' +- name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $risk_object$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($risk_object$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/okta_successful_single_factor_authentication.yml b/detections/application/okta_successful_single_factor_authentication.yml index 421c4d8600..fa763224c2 100644 --- a/detections/application/okta_successful_single_factor_authentication.yml +++ b/detections/application/okta_successful_single_factor_authentication.yml @@ -15,12 +15,12 @@ references: - https://sec.okta.com/everythingisyes - https://attack.mitre.org/techniques/T1078/004/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/okta_suspicious_activity_reported.yml b/detections/application/okta_suspicious_activity_reported.yml index f5377559f2..29ac37c307 100644 --- a/detections/application/okta_suspicious_activity_reported.yml +++ b/detections/application/okta_suspicious_activity_reported.yml @@ -14,12 +14,12 @@ known_false_positives: False positives should be minimal, given the high fidelit references: - https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/okta_suspicious_use_of_a_session_cookie.yml b/detections/application/okta_suspicious_use_of_a_session_cookie.yml index 8d2a111deb..ec8d918f49 100644 --- a/detections/application/okta_suspicious_use_of_a_session_cookie.yml +++ b/detections/application/okta_suspicious_use_of_a_session_cookie.yml @@ -14,12 +14,12 @@ known_false_positives: False positives may occur, depending on the organization' references: - https://attack.mitre.org/techniques/T1539/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/okta_threatinsight_threat_detected.yml b/detections/application/okta_threatinsight_threat_detected.yml index a6eccbf053..ff8e450573 100644 --- a/detections/application/okta_threatinsight_threat_detected.yml +++ b/detections/application/okta_threatinsight_threat_detected.yml @@ -14,12 +14,12 @@ known_false_positives: False positives may occur. It is recommended to fine-tune references: - https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected drilldown_searches: -- name: View the detection results for $app$ - search: '%original_detection_search% | search app = $app$' +- name: View the detection results for - "$app$" + search: '%original_detection_search% | search app = "$app$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $app$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($app$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$app$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$app$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/okta_unauthorized_access_to_application.yml b/detections/application/okta_unauthorized_access_to_application.yml index 6d2afb922d..b0c9aa46ea 100644 --- a/detections/application/okta_unauthorized_access_to_application.yml +++ b/detections/application/okta_unauthorized_access_to_application.yml @@ -14,12 +14,12 @@ known_false_positives: There is a possibility that a user may accidentally click references: - https://attack.mitre.org/techniques/T1110/003/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/okta_user_logins_from_multiple_cities.yml b/detections/application/okta_user_logins_from_multiple_cities.yml index a51e2c9345..49a48a1e63 100644 --- a/detections/application/okta_user_logins_from_multiple_cities.yml +++ b/detections/application/okta_user_logins_from_multiple_cities.yml @@ -14,12 +14,12 @@ known_false_positives: It is uncommon for a user to log in from multiple cities references: - https://attack.mitre.org/techniques/T1110/003/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/pingid_mismatch_auth_source_and_verification_response.yml b/detections/application/pingid_mismatch_auth_source_and_verification_response.yml index 80826960e5..6efe1f2075 100644 --- a/detections/application/pingid_mismatch_auth_source_and_verification_response.yml +++ b/detections/application/pingid_mismatch_auth_source_and_verification_response.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1556/006/ - https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA drilldown_searches: -- name: View the detection results for $user$ and $src$ - search: '%original_detection_search% | search user = $user$ src = $src$' +- name: View the detection results for - "$user$" and "$src$" + search: '%original_detection_search% | search user = "$user$" src = "$src$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $src$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $src$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml b/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml index 7be0c53388..d00607d0bf 100644 --- a/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml +++ b/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml @@ -18,12 +18,12 @@ references: - https://attack.mitre.org/techniques/T1078/004/ - https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/pingid_new_mfa_method_after_credential_reset.yml b/detections/application/pingid_new_mfa_method_after_credential_reset.yml index 72d2facf1f..1acd9b572e 100644 --- a/detections/application/pingid_new_mfa_method_after_credential_reset.yml +++ b/detections/application/pingid_new_mfa_method_after_credential_reset.yml @@ -18,12 +18,12 @@ references: - https://attack.mitre.org/techniques/T1556/006/ - https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/pingid_new_mfa_method_registered_for_user.yml b/detections/application/pingid_new_mfa_method_registered_for_user.yml index 747018cedf..addf5d57bd 100644 --- a/detections/application/pingid_new_mfa_method_registered_for_user.yml +++ b/detections/application/pingid_new_mfa_method_registered_for_user.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1556/006/ - https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA drilldown_searches: -- name: View the detection results for $user$ and $src$ - search: '%original_detection_search% | search user = $user$ src = $src$' +- name: View the detection results for - "$user$" and "$src$" + search: '%original_detection_search% | search user = "$user$" src = "$src$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $src$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $src$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/suspicious_email_attachment_extensions.yml b/detections/application/suspicious_email_attachment_extensions.yml index e18b3930ab..fd986ae658 100644 --- a/detections/application/suspicious_email_attachment_extensions.yml +++ b/detections/application/suspicious_email_attachment_extensions.yml @@ -5,30 +5,14 @@ date: '2024-10-17' author: David Dorsey, Splunk status: experimental type: Anomaly -description: |- - The following analytic detects emails containing attachments with suspicious file extensions. It leverages the Email data model in Splunk, using the tstats command to identify emails where the attachment filename is not empty. This detection is significant for SOC analysts as it highlights potential phishing or malware delivery attempts, which are common vectors for data breaches and malware infections. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, system compromise, or data exfiltration. Immediate review and analysis of the identified emails and attachments are crucial to mitigate these risks. +description: The following analytic detects emails containing attachments with suspicious file extensions. It leverages the Email data model in Splunk, using the tstats command to identify emails where the attachment filename is not empty. This detection is significant for SOC analysts as it highlights potential phishing or malware delivery attempts, which are common vectors for data breaches and malware infections. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, system compromise, or data exfiltration. Immediate review and analysis of the identified emails and attachments are crucial to mitigate these risks. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, - All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | - `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | `suspicious_email_attachments` - | `suspicious_email_attachment_extensions_filter`' -how_to_implement: You need to ingest data from emails. Specifically, the sender's - address and the file names of any attachments must be mapped to the Email data - model. - +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | `suspicious_email_attachments` | `suspicious_email_attachment_extensions_filter`' +how_to_implement: 'You need to ingest data from emails. Specifically, the sender''s address and the file names of any attachments must be mapped to the Email data model. + **Splunk Phantom Playbook Integration** - - If Splunk Phantom is also - configured in your environment, a Playbook called "Suspicious Email Attachment - Investigate and Delete" can be configured to run when any results are found by - this detection search. To use this integration, install the Phantom App for Splunk - `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the - "Phantom Instance" field in the Adaptive Response Actions when configuring this - detection search. The notable event will be sent to Phantom and the playbook will - gather further information about the file attachment and its network behaviors. - If Phantom finds malicious behavior and an analyst approves of the results, the - email will be deleted from the user's inbox.' + + If Splunk Phantom is also configured in your environment, a Playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user''s inbox.''' known_false_positives: None identified references: [] tags: diff --git a/detections/application/suspicious_java_classes.yml b/detections/application/suspicious_java_classes.yml index 0ba1465766..b918ceb4d0 100644 --- a/detections/application/suspicious_java_classes.yml +++ b/detections/application/suspicious_java_classes.yml @@ -5,24 +5,10 @@ date: '2024-10-17' author: Jose Hernandez, Splunk status: experimental type: Anomaly -description: The following analytic identifies suspicious Java classes often used - for remote command execution exploits in Java frameworks like Apache Struts. It - detects this activity by analyzing HTTP POST requests with specific content patterns - using Splunk's `stream_http` data source. This behavior is significant because it - may indicate an attempt to exploit vulnerabilities in web applications, potentially - leading to unauthorized remote code execution. If confirmed malicious, this activity - could allow attackers to execute arbitrary commands on the server, leading to data - breaches, system compromise, and further network infiltration. +description: The following analytic identifies suspicious Java classes often used for remote command execution exploits in Java frameworks like Apache Struts. It detects this activity by analyzing HTTP POST requests with specific content patterns using Splunk's `stream_http` data source. This behavior is significant because it may indicate an attempt to exploit vulnerabilities in web applications, potentially leading to unauthorized remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary commands on the server, leading to data breaches, system compromise, and further network infiltration. data_source: [] -search: '`stream_http` http_method=POST http_content_length>1 | regex form_data="(?i)java\.lang\.(?:runtime|processbuilder)" - | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) - as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) - as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `suspicious_java_classes_filter`' -how_to_implement: In order to properly run this search, Splunk needs to ingest data - from your web-traffic appliances that serve or sit in the path of your Struts application - servers. This can be accomplished by indexing data from a web proxy, or by using - network traffic-analysis tools, such as Splunk Stream or Bro. +search: '`stream_http` http_method=POST http_content_length>1 | regex form_data="(?i)java\.lang\.(?:runtime|processbuilder)" | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_java_classes_filter`' +how_to_implement: In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers. This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro. known_false_positives: There are no known false positives. references: [] tags: diff --git a/detections/application/web_servers_executing_suspicious_processes.yml b/detections/application/web_servers_executing_suspicious_processes.yml index 8266184c8f..8c79f797d2 100644 --- a/detections/application/web_servers_executing_suspicious_processes.yml +++ b/detections/application/web_servers_executing_suspicious_processes.yml @@ -5,27 +5,12 @@ date: '2024-10-17' author: David Dorsey, Splunk status: experimental type: TTP -description: |- - The following analytic detects the execution of suspicious processes on systems identified as web servers. It leverages the Splunk data model "Endpoint.Processes" to search for specific process names such as "whoami", "ping", "iptables", "wget", "service", and "curl". This activity is significant because these processes are often used by attackers for reconnaissance, persistence, or data exfiltration. If confirmed malicious, this could lead to data theft, deployment of additional malware, or even ransomware attacks. Immediate investigation is required to determine the legitimacy of the activity and mitigate potential threats. +description: The following analytic detects the execution of suspicious processes on systems identified as web servers. It leverages the Splunk data model "Endpoint.Processes" to search for specific process names such as "whoami", "ping", "iptables", "wget", "service", and "curl". This activity is significant because these processes are often used by attackers for reconnaissance, persistence, or data exfiltration. If confirmed malicious, this could lead to data theft, deployment of additional malware, or even ransomware attacks. Immediate investigation is required to determine the legitimacy of the activity and mitigate potential threats. data_source: - Sysmon EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.dest_category="web_server" - AND (Processes.process="*whoami*" OR Processes.process="*ping*" OR Processes.process="*iptables*" - OR Processes.process="*wget*" OR Processes.process="*service*" OR Processes.process="*curl*") - by Processes.process Processes.process_name, Processes.dest Processes.user| `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_servers_executing_suspicious_processes_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Some of these processes may be used legitimately on web servers - during maintenance or other administrative tasks. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest_category="web_server" AND (Processes.process="*whoami*" OR Processes.process="*ping*" OR Processes.process="*iptables*" OR Processes.process="*wget*" OR Processes.process="*service*" OR Processes.process="*curl*") by Processes.process Processes.process_name, Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_servers_executing_suspicious_processes_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks. references: [] tags: analytic_story: diff --git a/detections/application/windows_ad_add_self_to_group.yml b/detections/application/windows_ad_add_self_to_group.yml index 0e6959177b..f07ffac090 100644 --- a/detections/application/windows_ad_add_self_to_group.yml +++ b/detections/application/windows_ad_add_self_to_group.yml @@ -13,12 +13,12 @@ how_to_implement: This analytic requires eventCode 4728 to be ingested. known_false_positives: Unknown references: [] drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/windows_ad_dangerous_deny_acl_modification.yml b/detections/application/windows_ad_dangerous_deny_acl_modification.yml index 63ac14597a..ccab536112 100644 --- a/detections/application/windows_ad_dangerous_deny_acl_modification.yml +++ b/detections/application/windows_ad_dangerous_deny_acl_modification.yml @@ -16,12 +16,12 @@ references: - https://www.youtube.com/watch?v=_nGpZ1ydzS8 - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory drilldown_searches: -- name: View the detection results for $user$ and $src_user$ - search: '%original_detection_search% | search user = $user$ src_user = $src_user$' +- name: View the detection results for - "$user$" and "$src_user$" + search: '%original_detection_search% | search user = "$user$" src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/windows_ad_dangerous_group_acl_modification.yml b/detections/application/windows_ad_dangerous_group_acl_modification.yml index d375299387..4deb97629e 100644 --- a/detections/application/windows_ad_dangerous_group_acl_modification.yml +++ b/detections/application/windows_ad_dangerous_group_acl_modification.yml @@ -17,12 +17,12 @@ references: - https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory drilldown_searches: -- name: View the detection results for $user$ and $src_user$ - search: '%original_detection_search% | search user = $user$ src_user = $src_user$' +- name: View the detection results for - "$user$" and "$src_user$" + search: '%original_detection_search% | search user = "$user$" src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/windows_ad_dangerous_user_acl_modification.yml b/detections/application/windows_ad_dangerous_user_acl_modification.yml index 536272e342..e3d9940100 100644 --- a/detections/application/windows_ad_dangerous_user_acl_modification.yml +++ b/detections/application/windows_ad_dangerous_user_acl_modification.yml @@ -17,12 +17,12 @@ references: - https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory drilldown_searches: -- name: View the detection results for $user$ and $src_user$ - search: '%original_detection_search% | search user = $user$ src_user = $src_user$' +- name: View the detection results for - "$user$" and "$src_user$" + search: '%original_detection_search% | search user = "$user$" src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml b/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml index e02319c06d..6c5462e335 100644 --- a/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml +++ b/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml @@ -17,12 +17,12 @@ references: - https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory drilldown_searches: -- name: View the detection results for $user$ and $src_user$ - search: '%original_detection_search% | search user = $user$ src_user = $src_user$' +- name: View the detection results for - "$user$" and "$src_user$" + search: '%original_detection_search% | search user = "$user$" src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/windows_ad_domain_root_acl_deletion.yml b/detections/application/windows_ad_domain_root_acl_deletion.yml index 813f35a117..690fce9113 100644 --- a/detections/application/windows_ad_domain_root_acl_deletion.yml +++ b/detections/application/windows_ad_domain_root_acl_deletion.yml @@ -17,12 +17,12 @@ references: - https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory drilldown_searches: -- name: View the detection results for $user$ and $src_user$ - search: '%original_detection_search% | search user = $user$ src_user = $src_user$' +- name: View the detection results for - "$user$" and "$src_user$" + search: '%original_detection_search% | search user = "$user$" src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/windows_ad_domain_root_acl_modification.yml b/detections/application/windows_ad_domain_root_acl_modification.yml index e080591316..1ef69a8ac0 100644 --- a/detections/application/windows_ad_domain_root_acl_modification.yml +++ b/detections/application/windows_ad_domain_root_acl_modification.yml @@ -17,12 +17,12 @@ references: - https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory drilldown_searches: -- name: View the detection results for $user$ and $src_user$ - search: '%original_detection_search% | search user = $user$ src_user = $src_user$' +- name: View the detection results for - "$user$" and "$src_user$" + search: '%original_detection_search% | search user = "$user$" src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/windows_ad_gpo_deleted.yml b/detections/application/windows_ad_gpo_deleted.yml index d17d9b8f6a..24a6ffa4e2 100644 --- a/detections/application/windows_ad_gpo_deleted.yml +++ b/detections/application/windows_ad_gpo_deleted.yml @@ -14,12 +14,12 @@ known_false_positives: Unknown references: - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/windows_ad_gpo_disabled.yml b/detections/application/windows_ad_gpo_disabled.yml index df666c2b68..6fca7593b9 100644 --- a/detections/application/windows_ad_gpo_disabled.yml +++ b/detections/application/windows_ad_gpo_disabled.yml @@ -14,12 +14,12 @@ known_false_positives: Unknown references: - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/windows_ad_gpo_new_cse_addition.yml b/detections/application/windows_ad_gpo_new_cse_addition.yml index 7689f1b7ce..313498084f 100644 --- a/detections/application/windows_ad_gpo_new_cse_addition.yml +++ b/detections/application/windows_ad_gpo_new_cse_addition.yml @@ -17,12 +17,12 @@ references: - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory - https://github.com/FSecureLABS/SharpGPOAbuse drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/windows_ad_hidden_ou_creation.yml b/detections/application/windows_ad_hidden_ou_creation.yml index df36692032..4e21d1ec9e 100644 --- a/detections/application/windows_ad_hidden_ou_creation.yml +++ b/detections/application/windows_ad_hidden_ou_creation.yml @@ -15,12 +15,12 @@ references: - https://happycamper84.medium.com/sneaky-persistence-via-hidden-objects-in-ad-1c91fc37bf54 - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory drilldown_searches: -- name: View the detection results for $user$ and $src_user$ - search: '%original_detection_search% | search user = $user$ src_user = $src_user$' +- name: View the detection results for - "$user$" and "$src_user$" + search: '%original_detection_search% | search user = "$user$" src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/windows_ad_object_owner_updated.yml b/detections/application/windows_ad_object_owner_updated.yml index 5197a6490d..bdc0e64154 100644 --- a/detections/application/windows_ad_object_owner_updated.yml +++ b/detections/application/windows_ad_object_owner_updated.yml @@ -17,12 +17,12 @@ references: - https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory drilldown_searches: -- name: View the detection results for $user$ and $src_user$ - search: '%original_detection_search% | search user = $user$ src_user = $src_user$' +- name: View the detection results for - "$user$" and "$src_user$" + search: '%original_detection_search% | search user = "$user$" src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/windows_ad_privileged_group_modification.yml b/detections/application/windows_ad_privileged_group_modification.yml index a45cbd1f73..3256d9d220 100644 --- a/detections/application/windows_ad_privileged_group_modification.yml +++ b/detections/application/windows_ad_privileged_group_modification.yml @@ -7,13 +7,9 @@ status: experimental type: TTP data_source: - Windows Event Log Security 4728 -description: Detect users added to privileged AD Groups. -search: '`wineventlog_security` EventCode IN (4728) - | stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc by signature, Group_Name,src_user - | lookup admon_groups_def cn as Group_Name OUTPUT category - | where category="privileged" | `windows_ad_privileged_group_modification_filter`' -how_to_implement: This analytic requires eventCode 4728 to be ingested along with the admon_groups_def lookup being configured to include a list of AD groups along with a category to identify privileged groups. - See splunkbase app listed in the references for further details. +description: Detect users added to privileged AD Groups. +search: '`wineventlog_security` EventCode IN (4728) | stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc by signature, Group_Name,src_user | lookup admon_groups_def cn as Group_Name OUTPUT category | where category="privileged" | `windows_ad_privileged_group_modification_filter`' +how_to_implement: This analytic requires eventCode 4728 to be ingested along with the admon_groups_def lookup being configured to include a list of AD groups along with a category to identify privileged groups. See splunkbase app listed in the references for further details. known_false_positives: None references: - https://splunkbase.splunk.com/app/6853 @@ -51,4 +47,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/application/windows_ad_self_dacl_assignment.yml b/detections/application/windows_ad_self_dacl_assignment.yml index 30a635f989..8164128afb 100644 --- a/detections/application/windows_ad_self_dacl_assignment.yml +++ b/detections/application/windows_ad_self_dacl_assignment.yml @@ -14,12 +14,12 @@ known_false_positives: Unknown references: - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/windows_ad_suspicious_attribute_modification.yml b/detections/application/windows_ad_suspicious_attribute_modification.yml index aa0728f733..726951d451 100644 --- a/detections/application/windows_ad_suspicious_attribute_modification.yml +++ b/detections/application/windows_ad_suspicious_attribute_modification.yml @@ -15,12 +15,12 @@ references: - https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory drilldown_searches: -- name: View the detection results for $src_user$ and $dest$ - search: '%original_detection_search% | search src_user = $src_user$ dest = $dest$' +- name: View the detection results for - "$src_user$" and "$dest$" + search: '%original_detection_search% | search src_user = "$src_user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/windows_ad_suspicious_gpo_modification.yml b/detections/application/windows_ad_suspicious_gpo_modification.yml index 2d794d8494..6aa8e05935 100644 --- a/detections/application/windows_ad_suspicious_gpo_modification.yml +++ b/detections/application/windows_ad_suspicious_gpo_modification.yml @@ -8,34 +8,10 @@ type: TTP data_source: - Windows Security 5136 - Windows Security 5145 -description: This analytic looks for a the creation of potentially harmful GPO which could lead to persistence or code execution on remote hosts. - Note, this analyic is looking for the absence of the corresponding 5136 events which is evidence of the GPOs being manually edited (using a tool like PowerView) or potentially missing logs. -search: >- - `wineventlog_security` EventCode=5145 ShareName="\\\\*\\SYSVOL" RelativeTargetName IN (*\\ScheduledTasks.xml, *\\Groups.xml, *\\Registry.xml, *\\Services.xml, *\\Scripts\\*) NOT RelativeTargetName=*\\Scripts\\scripts.ini AccessMask=0x2 - | rex field=AccessList max_match=0 "(?P%%\d+)" - | table _time AccessMask src_ip src_user RelativeTargetName Logon_ID dvc - | rex field=RelativeTargetName "Policies\\\(?P{.*?})\\\(?P\w+?)\\\(\w+)\\\(?P\w+)\\\(?P\w+\.\w+)$" - | eval src=if(match(src_ip, "(?i)^fe80:"),dvc,src_ip), folder=case(RelativeTargetName like "%\\Scripts\\%","Scripts",folder="Groups","Local users and groups",1=1,folder) - | appendpipe - [| map search="search `wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=gPCMachineExtensionNames $gpo_guid$" - | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId - | rex field=old_value max_match=10000 "(?P\{.*?\})" - | rex field=new_value max_match=10000 "(?P\{.*?\})" - | rex field=ObjectDN max_match=10000 "CN=(?P\{.*?\})" - | mvexpand new_values - | where NOT new_values IN (old_values,"{00000000-0000-0000-0000-000000000000}",policy_guid) AND match(new_values, "^\{[A-Z|\d]+\-[A-Z|\d]+\-[A-Z|\d]+\-[A-Z|\d]+\-[A-Z|\d]+\}") - | lookup msad_guid_lookup guid as new_values OUTPUTNEW displayName as policyType - | eval newPolicy=if(policyType like "%",policyType,new_values) - | stats values(OpCorrelationID) as OpCorrelationID values(newPolicy) as newPolicy by ObjectDN - | rex field=ObjectDN max_match=10000 "CN=(?P\{.*?\})" - | fields - ObjectDN] - | stats values(AccessMask) as AccessMask values(src) as src values(src_user) as src_user values(RelativeTargetName) as RelativeTargetName values(Logon_ID) as Logon_ID values(newPolicy) as newPolicy values(OpCorrelationID) as OpCorrelationID values(folder) as folder values(file) as file by gpo_guid - | mvexpand folder - | where NOT folder IN (newPolicy) - | `windows_ad_suspicious_gpo_modification_filter` -how_to_implement: Ingest EventCodes 5145 and 5136 from domain controllers. Additional SACLs required to capture EventCode 5136, see references for further information on how to configure this. - The Group Policy - Audit Detailed File Share will need to be enabled on the DCs to generate event code 5145, this event is very noisy on DCs, consider tuning out sysvol events which do not match access mask 0x2. -known_false_positives: When a GPO is manually edited and 5136 events are not logging to Splunk. +description: This analytic looks for a the creation of potentially harmful GPO which could lead to persistence or code execution on remote hosts. Note, this analyic is looking for the absence of the corresponding 5136 events which is evidence of the GPOs being manually edited (using a tool like PowerView) or potentially missing logs. +search: "`wineventlog_security` EventCode=5145 ShareName=\"\\\\\\\\*\\\\SYSVOL\" RelativeTargetName IN (*\\\\ScheduledTasks.xml, *\\\\Groups.xml, *\\\\Registry.xml, *\\\\Services.xml, *\\\\Scripts\\\\*) NOT RelativeTargetName=*\\\\Scripts\\\\scripts.ini AccessMask=0x2 | rex field=AccessList max_match=0 \"(?P%%\\d+)\" | table _time AccessMask src_ip src_user RelativeTargetName Logon_ID dvc | rex field=RelativeTargetName \"Policies\\\\\\(?P{.*?})\\\\\\(?P\\w+?)\\\\\\(\\w+)\\\\\\(?P\\w+)\\\\\\(?P\\w+\\.\\w+)$\" | eval src=if(match(src_ip, \"(?i)^fe80:\"),dvc,src_ip), folder=case(RelativeTargetName like \"%\\\\Scripts\\\\%\",\"Scripts\",folder=\"Groups\",\"Local users and groups\",1=1,folder) | appendpipe \n [| map search=\"search `wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=gPCMachineExtensionNames $gpo_guid$\" \n | stats min(_time) as _time values(eval(if(OperationType==\"%%14675\",AttributeValue,null))) as old_value values(eval(if(OperationType==\"%%14674\",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId \n | rex field=old_value max_match=10000 \"(?P\\{.*?\\})\" \n | rex field=new_value max_match=10000 \"(?P\\{.*?\\})\" \n | rex field=ObjectDN max_match=10000 \"CN=(?P\\{.*?\\})\" \n | mvexpand new_values \n | where NOT new_values IN (old_values,\"{00000000-0000-0000-0000-000000000000}\",policy_guid) AND match(new_values, \"^\\{[A-Z|\\d]+\\-[A-Z|\\d]+\\-[A-Z|\\d]+\\-[A-Z|\\d]+\\-[A-Z|\\d]+\\}\") \n | lookup msad_guid_lookup guid as new_values OUTPUTNEW displayName as policyType \n | eval newPolicy=if(policyType like \"%\",policyType,new_values) \n | stats values(OpCorrelationID) as OpCorrelationID values(newPolicy) as newPolicy by ObjectDN \n | rex field=ObjectDN max_match=10000 \"CN=(?P\\{.*?\\})\" \n | fields - ObjectDN] \n| stats values(AccessMask) as AccessMask values(src) as src values(src_user) as src_user values(RelativeTargetName) as RelativeTargetName values(Logon_ID) as Logon_ID values(newPolicy) as newPolicy values(OpCorrelationID) as OpCorrelationID values(folder) as folder values(file) as file by gpo_guid | mvexpand folder | where NOT folder IN (newPolicy) | `windows_ad_suspicious_gpo_modification_filter`" +how_to_implement: Ingest EventCodes 5145 and 5136 from domain controllers. Additional SACLs required to capture EventCode 5136, see references for further information on how to configure this. The Group Policy - Audit Detailed File Share will need to be enabled on the DCs to generate event code 5145, this event is very noisy on DCs, consider tuning out sysvol events which do not match access mask 0x2. +known_false_positives: When a GPO is manually edited and 5136 events are not logging to Splunk. references: - https://github.com/PowerShellMafia/PowerSploit/blob/26a0757612e5654b4f792b012ab8f10f95d391c9/Recon/PowerView.ps1#L5907-L6122 - https://github.com/X-C3LL/GPOwned @@ -45,7 +21,7 @@ references: - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory tags: analytic_story: - - Sneaky Active Directory Persistence Tricks + - Sneaky Active Directory Persistence Tricks asset_type: Endpoint confidence: 80 impact: 100 @@ -56,34 +32,34 @@ tags: - T1222 - T1222.001 observable: - - name: user - type: User - role: - - Victim - - name: src_user - type: User - role: - - Victim + - name: user + type: User + role: + - Victim + - name: src_user + type: User + role: + - Victim product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud risk_score: 80 required_fields: - - _time - - OperationType - - ObjectDN - - OpCorrelationID - - src_user - - AttributeLDAPDisplayName - - AttributeValue - - ObjectClass - - SubjectLogonId - - DSName + - _time + - OperationType + - ObjectDN + - OpCorrelationID + - src_user + - AttributeLDAPDisplayName + - AttributeValue + - ObjectClass + - SubjectLogonId + - DSName security_domain: endpoint tests: - - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_new_cse/windows-security.log - source: XmlWinEventLog:Security - sourcetype: xmlwineventlog \ No newline at end of file +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_new_cse/windows-security.log + source: XmlWinEventLog:Security + sourcetype: xmlwineventlog diff --git a/detections/application/windows_increase_in_group_or_object_modification_activity.yml b/detections/application/windows_increase_in_group_or_object_modification_activity.yml index 60ea19e5d4..f2a1a593ec 100644 --- a/detections/application/windows_increase_in_group_or_object_modification_activity.yml +++ b/detections/application/windows_increase_in_group_or_object_modification_activity.yml @@ -13,12 +13,12 @@ how_to_implement: Run this detection looking over a 7 day timeframe for best res known_false_positives: Unknown references: [] drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/application/windows_increase_in_user_modification_activity.yml b/detections/application/windows_increase_in_user_modification_activity.yml index 3c50550ec5..11c461d17f 100644 --- a/detections/application/windows_increase_in_user_modification_activity.yml +++ b/detections/application/windows_increase_in_user_modification_activity.yml @@ -13,12 +13,12 @@ how_to_implement: Run this detection looking over a 7 day timeframe for best res known_false_positives: Genuine activity references: [] drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml b/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml index ce8aaf8d19..5c8ebae8a8 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml @@ -5,30 +5,11 @@ date: '2024-10-17' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects a spike in the number of API calls made - to your cloud infrastructure by a user. It leverages cloud infrastructure logs and - compares the current API call volume against a baseline probability density function - to identify anomalies. This activity is significant because an unusual increase - in API calls can indicate potential misuse or compromise of cloud resources. If - confirmed malicious, this could lead to unauthorized access, data exfiltration, - or disruption of cloud services, posing a significant risk to the organization's - cloud environment. -data_source: +description: The following analytic detects a spike in the number of API calls made to your cloud infrastructure by a user. It leverages cloud infrastructure logs and compares the current API call volume against a baseline probability density function to identify anomalies. This activity is significant because an unusual increase in API calls can indicate potential misuse or compromise of cloud resources. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of cloud services, posing a significant risk to the organization's cloud environment. +data_source: - AWS CloudTrail -search: '| tstats count as api_calls values(All_Changes.command) as command from datamodel=Change - where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time - span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, - "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") - | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay - isWeekend [ summary cloud_excessive_api_calls_v1] | where cardinality >=16 | apply - cloud_excessive_api_calls_v1 threshold=0.005 | rename "IsOutlier(api_calls)" as - isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, - -1), ":"), 0) | where api_calls > expected_upper_threshold | eval distance_from_threshold - = api_calls - expected_upper_threshold | table _time, user, command, api_calls, - expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_infrastructure_api_calls_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs. You also must - run the baseline search `Baseline Of Cloud Infrastructure API Calls Per User` to - create the probability density function. +search: '| tstats count as api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_api_calls_v1 threshold=0.005 | rename "IsOutlier(api_calls)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | where api_calls > expected_upper_threshold | eval distance_from_threshold = api_calls - expected_upper_threshold | table _time, user, command, api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_infrastructure_api_calls_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Infrastructure API Calls Per User` to create the probability density function. known_false_positives: None. references: [] tags: @@ -38,8 +19,7 @@ tags: asset_type: AWS Instance confidence: 50 impact: 30 - message: user $user$ has made $api_calls$ api calls, violating the dynamic threshold - of $expected_upper_threshold$ with the following command $command$. + message: user $user$ has made $api_calls$ api calls, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$. mitre_attack_id: - T1078.004 - T1078 @@ -62,8 +42,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml index 042f705b4b..f08c410c3f 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml @@ -5,35 +5,12 @@ date: '2024-10-22' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic identifies an abnormally high number of cloud - instances being destroyed within a 4-hour period. It leverages cloud infrastructure - logs and applies a probability density model to detect outliers. This activity is - significant for a SOC because a sudden spike in destroyed instances could indicate - malicious activity, such as an insider threat or a compromised account attempting - to disrupt services. If confirmed malicious, this could lead to significant operational - disruptions, data loss, and potential financial impact due to the destruction of - critical cloud resources. -data_source: +description: The following analytic identifies an abnormally high number of cloud instances being destroyed within a 4-hour period. It leverages cloud infrastructure logs and applies a probability density model to detect outliers. This activity is significant for a SOC because a sudden spike in destroyed instances could indicate malicious activity, such as an insider threat or a compromised account attempting to disrupt services. If confirmed malicious, this could lead to significant operational disruptions, data loss, and potential financial impact due to the destruction of critical cloud resources. +data_source: - AWS CloudTrail -search: '| tstats count as instances_destroyed values(All_Changes.object_id) as object_id - from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success - AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` - | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval - DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek - <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_destroyed_v1] - | where cardinality >=16 | apply cloud_excessive_instances_destroyed_v1 threshold=0.005 - | rename "IsOutlier(instances_destroyed)" as isOutlier | where isOutlier=1 | eval - expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | - eval distance_from_threshold = instances_destroyed - expected_upper_threshold | - table _time, user, instances_destroyed, expected_upper_threshold, distance_from_threshold, - object_id | `abnormally_high_number_of_cloud_instances_destroyed_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs. You also must - run the baseline search `Baseline Of Cloud Instances Destroyed` to create the probability - density function. -known_false_positives: Many service accounts configured within a cloud infrastructure - are known to exhibit this behavior. Please adjust the threshold values and filter - out service accounts from the output. Always verify if this search alerted on a - human user. +search: '| tstats count as instances_destroyed values(All_Changes.object_id) as object_id from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_destroyed_v1] | where cardinality >=16 | apply cloud_excessive_instances_destroyed_v1 threshold=0.005 | rename "IsOutlier(instances_destroyed)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | eval distance_from_threshold = instances_destroyed - expected_upper_threshold | table _time, user, instances_destroyed, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_destroyed_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Destroyed` to create the probability density function. +known_false_positives: Many service accounts configured within a cloud infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. references: [] tags: analytic_story: diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml index 555914d18f..93a18c80b5 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml @@ -5,34 +5,12 @@ date: '2024-10-22' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects an abnormally high number of cloud instances - launched within a 4-hour period. It leverages cloud infrastructure logs and applies - a probability density model to identify outliers based on historical data. This - activity is significant for a SOC because a sudden spike in instance creation could - indicate unauthorized access or misuse of cloud resources. If confirmed malicious, - this behavior could lead to resource exhaustion, increased costs, or provide attackers - with additional compute resources to further their objectives. -data_source: +description: The following analytic detects an abnormally high number of cloud instances launched within a 4-hour period. It leverages cloud infrastructure logs and applies a probability density model to identify outliers based on historical data. This activity is significant for a SOC because a sudden spike in instance creation could indicate unauthorized access or misuse of cloud resources. If confirmed malicious, this behavior could lead to resource exhaustion, increased costs, or provide attackers with additional compute resources to further their objectives. +data_source: - AWS CloudTrail -search: '| tstats count as instances_launched values(All_Changes.object_id) as object_id - from datamodel=Change where (All_Changes.action=created) AND All_Changes.status=success - AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` - | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval - DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek - <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_created_v1] - | where cardinality >=16 | apply cloud_excessive_instances_created_v1 threshold=0.005 - | rename "IsOutlier(instances_launched)" as isOutlier | where isOutlier=1 | eval - expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | - eval distance_from_threshold = instances_launched - expected_upper_threshold | table - _time, user, instances_launched, expected_upper_threshold, distance_from_threshold, - object_id | `abnormally_high_number_of_cloud_instances_launched_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs. You also must - run the baseline search `Baseline Of Cloud Instances Launched` to create the probability - density function. -known_false_positives: Many service accounts configured within an AWS infrastructure - are known to exhibit this behavior. Please adjust the threshold values and filter - out service accounts from the output. Always verify if this search alerted on a - human user. +search: '| tstats count as instances_launched values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=created) AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_created_v1] | where cardinality >=16 | apply cloud_excessive_instances_created_v1 threshold=0.005 | rename "IsOutlier(instances_launched)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | eval distance_from_threshold = instances_launched - expected_upper_threshold | table _time, user, instances_launched, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_launched_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Launched` to create the probability density function. +known_false_positives: Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. references: [] tags: analytic_story: diff --git a/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml b/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml index 60d725e9da..ac1b861904 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml @@ -5,31 +5,12 @@ date: '2024-10-17' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects a spike in the number of API calls made - to cloud security groups by a user. It leverages data from the Change data model, - focusing on successful firewall-related changes. This activity is significant because - an abnormal increase in security group API calls can indicate potential malicious - activity, such as unauthorized access or configuration changes. If confirmed malicious, - this could allow an attacker to manipulate security group settings, potentially - exposing sensitive resources or disrupting network security controls. +description: The following analytic detects a spike in the number of API calls made to cloud security groups by a user. It leverages data from the Change data model, focusing on successful firewall-related changes. This activity is significant because an abnormal increase in security group API calls can indicate potential malicious activity, such as unauthorized access or configuration changes. If confirmed malicious, this could allow an attacker to manipulate security group settings, potentially exposing sensitive resources or disrupting network security controls. data_source: - AWS CloudTrail -search: '| tstats count as security_group_api_calls values(All_Changes.command) as - command from datamodel=Change where All_Changes.object_category=firewall AND All_Changes.status=success - by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval - HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, - "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay - isWeekend [ summary cloud_excessive_security_group_api_calls_v1] | where cardinality - >=16 | apply cloud_excessive_security_group_api_calls_v1 threshold=0.005 | rename - "IsOutlier(security_group_api_calls)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold - = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | where security_group_api_calls - > expected_upper_threshold | eval distance_from_threshold = security_group_api_calls - - expected_upper_threshold | table _time, user, command, security_group_api_calls, - expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_security_group_api_calls_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs. You also must - run the baseline search `Baseline Of Cloud Security Group API Calls Per User` to - create the probability density function model. -known_false_positives: 'None.' +search: '| tstats count as security_group_api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.object_category=firewall AND All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_security_group_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_security_group_api_calls_v1 threshold=0.005 | rename "IsOutlier(security_group_api_calls)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | where security_group_api_calls > expected_upper_threshold | eval distance_from_threshold = security_group_api_calls - expected_upper_threshold | table _time, user, command, security_group_api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_security_group_api_calls_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Security Group API Calls Per User` to create the probability density function model. +known_false_positives: None. references: [] tags: analytic_story: @@ -37,9 +18,7 @@ tags: asset_type: AWS Instance confidence: 50 impact: 30 - message: user $user$ has made $api_calls$ api calls related to security groups, - violating the dynamic threshold of $expected_upper_threshold$ with the following - command $command$. + message: user $user$ has made $api_calls$ api calls related to security groups, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$. mitre_attack_id: - T1078.004 - T1078 @@ -63,8 +42,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml b/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml index 3035a6cf97..16e8024f5b 100644 --- a/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml +++ b/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml @@ -5,25 +5,11 @@ date: '2024-10-17' author: Rod Soto, Splunk status: experimental type: Hunting -description: The following analytic detects unauthenticated requests to an Amazon - EKS Kubernetes cluster, specifically identifying actions by the "system:anonymous" - user. It leverages AWS CloudWatch Logs data, focusing on user agents and authentication - details. This activity is significant as it may indicate unauthorized scanning or - probing of the Kubernetes cluster, which could be a precursor to an attack. If confirmed - malicious, this could lead to unauthorized access, data exfiltration, or disruption - of services within the Kubernetes environment. +description: The following analytic detects unauthenticated requests to an Amazon EKS Kubernetes cluster, specifically identifying actions by the "system:anonymous" user. It leverages AWS CloudWatch Logs data, focusing on user agents and authentication details. This activity is significant as it may indicate unauthorized scanning or probing of the Kubernetes cluster, which could be a precursor to an attack. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of services within the Kubernetes environment. data_source: [] -search: '`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" userAgent!="AWS - Security Scanner" | rename sourceIPs{} as src_ip | stats count min(_time) as firstTime - max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name - values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) - by src_ip user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` - |`amazon_eks_kubernetes_cluster_scan_detection_filter`' -how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) - and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch - EKS Logs inputs. -known_false_positives: Not all unauthenticated requests are malicious, but frequency, - UA and source IPs will provide context. +search: '`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" userAgent!="AWS Security Scanner" | rename sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) by src_ip user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`amazon_eks_kubernetes_cluster_scan_detection_filter`' +how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch EKS Logs inputs. +known_false_positives: Not all unauthenticated requests are malicious, but frequency, UA and source IPs will provide context. references: [] tags: analytic_story: diff --git a/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml b/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml index 7f44a6ac18..3795333aaf 100644 --- a/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml +++ b/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml @@ -5,21 +5,11 @@ date: '2024-10-17' author: Rod Soto, Splunk status: experimental type: Hunting -description: |- - The following analytic detects unauthenticated requests made against the Kubernetes Pods API, indicating potential unauthorized access attempts. It leverages the `aws_cloudwatchlogs_eks` data source, filtering for events where `user.username` is "system:anonymous", `verb` is "list", and `objectRef.resource` is "pods", with `requestURI` set to "/api/v1/pods". This activity is significant as it may signal attempts to access sensitive resources or execute unauthorized commands within the Kubernetes environment. If confirmed malicious, such access could lead to data compromise, unauthorized command execution, or lateral movement within the cluster. +description: The following analytic detects unauthenticated requests made against the Kubernetes Pods API, indicating potential unauthorized access attempts. It leverages the `aws_cloudwatchlogs_eks` data source, filtering for events where `user.username` is "system:anonymous", `verb` is "list", and `objectRef.resource` is "pods", with `requestURI` set to "/api/v1/pods". This activity is significant as it may signal attempts to access sensitive resources or execute unauthorized commands within the Kubernetes environment. If confirmed malicious, such access could lead to data compromise, unauthorized command execution, or lateral movement within the cluster. data_source: [] -search: '`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" verb=list objectRef.resource=pods - requestURI="/api/v1/pods" | rename source as cluster_name sourceIPs{} as src_ip - | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) - values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by - src_ip cluster_name user.username user.groups{} | `security_content_ctime(lastTime)` - | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter`' -how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) - and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch - EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` - macro to filter out the false positives. -known_false_positives: Not all unauthenticated requests are malicious, but frequency, - UA and source IPs and direct request to API provide context. +search: '`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" verb=list objectRef.resource=pods requestURI="/api/v1/pods" | rename source as cluster_name sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by src_ip cluster_name user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter`' +how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives. +known_false_positives: Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context. references: [] tags: analytic_story: diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index cb2332cdef..b73048a0b5 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -15,12 +15,12 @@ references: - https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/ - https://github.com/kgretzky/evilginx2 drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml index 32cf48cb4c..51ebc415fb 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml @@ -13,12 +13,12 @@ known_false_positives: While this search has no known false positives, it is pos references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml index 6d4654e7f9..0f8e4198ed 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -13,12 +13,12 @@ known_false_positives: While this search has no known false positives, it is pos references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml index 35a3e426b1..9188eab76a 100644 --- a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml @@ -5,30 +5,11 @@ date: '2024-10-17' author: Patrick Bareiss, Bhavin Patel, Gowthamaraj Rajendran, Splunk status: production type: Hunting -description: The following analytic detects the deletion of critical AWS Security - Services configurations, such as CloudWatch alarms, GuardDuty detectors, and Web - Application Firewall rules. It leverages Amazon Security Lake logs to identify specific - API calls like "DeleteLogStream" and "DeleteDetector." This activity is significant - because adversaries often use these actions to disable security monitoring and evade - detection. If confirmed malicious, this could allow attackers to operate undetected, - leading to potential data breaches, unauthorized access, and prolonged persistence - within the AWS environment. +description: The following analytic detects the deletion of critical AWS Security Services configurations, such as CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules. It leverages Amazon Security Lake logs to identify specific API calls like "DeleteLogStream" and "DeleteDetector." This activity is significant because adversaries often use these actions to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, leading to potential data breaches, unauthorized access, and prolonged persistence within the AWS environment. data_source: [] -search: '`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") - | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation - actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, - http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. -known_false_positives: While this search has no known false positives, it is possible - that it is a legitimate admin activity. Please consider filtering out these noisy - events using userAgent, user_arn field names. +search: '`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. references: - https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html - https://docs.aws.amazon.com/cli/latest/reference/waf/index.html @@ -39,8 +20,7 @@ tags: asset_type: AWS Account confidence: 60 impact: 70 - message: User $user$ has made potentially risky api calls $api.operation$ that could - impair AWS security services for account id $aws_account_id$ + message: User $user$ has made potentially risky api calls $api.operation$ that could impair AWS security services for account id $aws_account_id$ mitre_attack_id: - T1562.008 - T1562 @@ -70,7 +50,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/asl_ocsf_cloudtrail.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/asl_ocsf_cloudtrail.json sourcetype: aws:cloudtrail:lake source: aws_asl diff --git a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml index d441987776..06d6855331 100644 --- a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml @@ -13,12 +13,12 @@ known_false_positives: While this search has no known false positives, it is pos references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml index f9557b1918..5e700e7519 100644 --- a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml @@ -13,12 +13,12 @@ known_false_positives: While this search has no known false positives, it is pos references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml index 6bb10e2b3f..664e40bfbb 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml @@ -13,12 +13,12 @@ known_false_positives: When your development is spreaded in different time zones references: - https://attack.mitre.org/techniques/T1204/003/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml index 0cd52d07bf..b3506df343 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml @@ -13,12 +13,12 @@ known_false_positives: unknown references: - https://attack.mitre.org/techniques/T1204/003/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/asl_aws_iam_delete_policy.yml b/detections/cloud/asl_aws_iam_delete_policy.yml index 2c99b15e2c..f130dda68e 100644 --- a/detections/cloud/asl_aws_iam_delete_policy.yml +++ b/detections/cloud/asl_aws_iam_delete_policy.yml @@ -5,30 +5,11 @@ date: '2024-10-17' author: Patrick Bareiss, Splunk status: production type: Hunting -description: The following analytic identifies when a policy is deleted in AWS. It - leverages Amazon Security Lake logs to detect the DeletePolicy API operation. Monitoring - policy deletions is crucial as it can indicate unauthorized attempts to weaken security - controls. If confirmed malicious, this activity could allow an attacker to remove - critical security policies, potentially leading to privilege escalation or unauthorized - access to sensitive resources. +description: The following analytic identifies when a policy is deleted in AWS. It leverages Amazon Security Lake logs to detect the DeletePolicy API operation. Monitoring policy deletions is crucial as it can indicate unauthorized attempts to weaken security controls. If confirmed malicious, this activity could allow an attacker to remove critical security policies, potentially leading to privilege escalation or unauthorized access to sensitive resources. data_source: [] -search: '`amazon_security_lake` api.operation=DeletePolicy | fillnull | stats count - min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid - actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region - | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, - http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. -known_false_positives: This detection will require tuning to provide high fidelity - detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) - or by groups of users. Not every user with AWS access should have permission to - delete policies (least privilege). In addition, this may be saved seperately and - tuned for failed or success attempts only. +search: '`amazon_security_lake` api.operation=DeletePolicy | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. references: - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html - https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy.html @@ -67,7 +48,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/asl_ocsf_cloudtrail.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/asl_ocsf_cloudtrail.json sourcetype: aws:cloudtrail:lake source: aws_asl diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index b82b466708..1476e1877d 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -14,12 +14,12 @@ references: - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/asl_aws_iam_successful_group_deletion.yml b/detections/cloud/asl_aws_iam_successful_group_deletion.yml index 3931ef4f5b..99c5289b53 100644 --- a/detections/cloud/asl_aws_iam_successful_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_successful_group_deletion.yml @@ -5,23 +5,11 @@ date: '2024-10-22' author: Patrick Bareiss, Splunk status: production type: Hunting -description: The following analytic detects the successful deletion of a group within AWS IAM, leveraging CloudTrail IAM events. - This action, while not inherently malicious, can serve as a precursor to more sinister activities, such as unauthorized access or - privilege escalation attempts. By monitoring for such deletions, the analytic aids in identifying potential preparatory steps towards - an attack, allowing for early detection and mitigation. The identification of this behavior is crucial for a SOC to prevent the potential - impact of an attack, which could include unauthorized access to sensitive resources or disruption of AWS environment operations. +description: The following analytic detects the successful deletion of a group within AWS IAM, leveraging CloudTrail IAM events. This action, while not inherently malicious, can serve as a precursor to more sinister activities, such as unauthorized access or privilege escalation attempts. By monitoring for such deletions, the analytic aids in identifying potential preparatory steps towards an attack, allowing for early detection and mitigation. The identification of this behavior is crucial for a SOC to prevent the potential impact of an attack, which could include unauthorized access to sensitive resources or disruption of AWS environment operations. data_source: [] -search: '`amazon_security_lake` api.operation=DeleteGroup status=Success - | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region - | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `asl_aws_iam_successful_group_deletion_filter`' -how_to_implement: You must install the Data Lake Federated Analytics App and ingest the logs into Splunk. -known_false_positives: This detection will require tuning to provide high fidelity - detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) - or by groups of users. Not every user with AWS access should have permission to - delete groups (least privilege). +search: '`amazon_security_lake` api.operation=DeleteGroup status=Success | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_successful_group_deletion_filter`' +how_to_implement: You must install the Data Lake Federated Analytics App and ingest the logs into Splunk. +known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). references: - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html @@ -51,8 +39,8 @@ tags: - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name + - actor.user.account_uid + - actor.user.name - actor.user.uid - http_request.user_agent - src_endpoint.ip diff --git a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml index 56f9685677..df252c921e 100644 --- a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml @@ -14,12 +14,12 @@ references: - https://attack.mitre.org/techniques/T1621/ - https://aws.amazon.com/what-is/mfa/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index 2967f18a73..989b32fff1 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -5,29 +5,11 @@ date: '2024-10-17' author: Patrick Bareiss, Splunk status: experimental type: TTP -description: The following analytic identifies the registration of a new Multi-Factor - Authentication (MFA) method for an AWS account, as logged through Amazon Security - Lake (ASL). It detects this activity by monitoring the `CreateVirtualMFADevice` - API operation within ASL logs. This behavior is significant because adversaries - who gain unauthorized access to an AWS account may register a new MFA method to - maintain persistence. If confirmed malicious, this activity could allow attackers - to secure their access, making it harder to detect and remove their presence from - the compromised environment. +description: The following analytic identifies the registration of a new Multi-Factor Authentication (MFA) method for an AWS account, as logged through Amazon Security Lake (ASL). It detects this activity by monitoring the `CreateVirtualMFADevice` API operation within ASL logs. This behavior is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this activity could allow attackers to secure their access, making it harder to detect and remove their presence from the compromised environment. data_source: [] -search: '`amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | - stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid - actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region - | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, - http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. -known_false_positives: Newly onboarded users who are registering an MFA method for - the first time will also trigger this detection. +search: '`amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. references: - https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/ - https://attack.mitre.org/techniques/T1556/ @@ -69,7 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/asl_ocsf_cloudtrail.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/asl_ocsf_cloudtrail.json sourcetype: aws:cloudtrail:lake source: aws_asl diff --git a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml index bf8249137f..8ed30c0d5b 100644 --- a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml +++ b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml @@ -16,12 +16,12 @@ references: - https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/ - https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/ drilldown_searches: -- name: View the detection results for $aws_account_id$ - search: '%original_detection_search% | search aws_account_id = $aws_account_id$' +- name: View the detection results for - "$aws_account_id$" + search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $aws_account_id$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($aws_account_id$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$aws_account_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml index 6d3d8d7c50..bfe25effd2 100644 --- a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml @@ -16,12 +16,12 @@ references: - https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/ - https://github.com/kgretzky/evilginx2 drilldown_searches: -- name: View the detection results for $user_arn$ - search: '%original_detection_search% | search user_arn = $user_arn$' +- name: View the detection results for - "$user_arn$" + search: '%original_detection_search% | search user_arn = "$user_arn$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_arn$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_arn$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_arn$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml index 0f8eaa42e8..753a51ea7a 100644 --- a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml +++ b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1621/ - https://aws.amazon.com/what-is/mfa/ drilldown_searches: -- name: View the detection results for $user_name$ - search: '%original_detection_search% | search user_name = $user_name$' +- name: View the detection results for - "$user_name$" + search: '%original_detection_search% | search user_name = "$user_name$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_name$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_name$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml index bb7b4357f2..567992adfa 100644 --- a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml +++ b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml @@ -15,12 +15,12 @@ references: - https://bishopfox.com/blog/privilege-escalation-in-aws - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_createaccesskey.yml b/detections/cloud/aws_createaccesskey.yml index 0493f004c0..80e4d0492a 100644 --- a/detections/cloud/aws_createaccesskey.yml +++ b/detections/cloud/aws_createaccesskey.yml @@ -5,25 +5,12 @@ date: '2024-10-17' author: Bhavin Patel, Splunk status: production type: Hunting -description: The following analytic identifies the creation of AWS IAM access keys - by a user for another user, which can indicate privilege escalation. It leverages - AWS CloudTrail logs to detect instances where the user creating the access key is - different from the user for whom the key is created. This activity is significant - because unauthorized access key creation can allow attackers to establish persistence - or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized - access to AWS services, data exfiltration, and long-term persistence in the environment. +description: The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment. data_source: - AWS CloudTrail CreateAccessKey -search: '`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com - errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) - | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by - requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent - eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` |`aws_createaccesskey_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This - search works with AWS CloudTrail logs. -known_false_positives: While this search has no known false positives, it is possible - that an AWS admin has legitimately created keys for another user. +search: '`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_createaccesskey_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. +known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. references: - https://bishopfox.com/blog/privilege-escalation-in-aws - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ @@ -33,8 +20,7 @@ tags: asset_type: AWS Account confidence: 90 impact: 70 - message: User $user_arn$ is attempting to create access keys for $requestParameters.userName$ - from this IP $src$ + message: User $user_arn$ is attempting to create access keys for $requestParameters.userName$ from this IP $src$ mitre_attack_id: - T1136.003 - T1136 @@ -62,8 +48,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_createloginprofile.yml b/detections/cloud/aws_createloginprofile.yml index 168ffcccb2..df61daf43b 100644 --- a/detections/cloud/aws_createloginprofile.yml +++ b/detections/cloud/aws_createloginprofile.yml @@ -15,12 +15,12 @@ references: - https://bishopfox.com/blog/privilege-escalation-in-aws - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ drilldown_searches: -- name: View the detection results for $user_arn$ - search: '%original_detection_search% | search user_arn = $user_arn$' +- name: View the detection results for - "$user_arn$" + search: '%original_detection_search% | search user_arn = "$user_arn$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_arn$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_arn$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_arn$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_credential_access_failed_login.yml b/detections/cloud/aws_credential_access_failed_login.yml index 0ab510954b..725eaabcc0 100644 --- a/detections/cloud/aws_credential_access_failed_login.yml +++ b/detections/cloud/aws_credential_access_failed_login.yml @@ -14,12 +14,12 @@ known_false_positives: Users may genuinely mistype or forget the password. references: - https://attack.mitre.org/techniques/T1110/001/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_credential_access_getpassworddata.yml b/detections/cloud/aws_credential_access_getpassworddata.yml index 46dbbf1836..e44bd0923d 100644 --- a/detections/cloud/aws_credential_access_getpassworddata.yml +++ b/detections/cloud/aws_credential_access_getpassworddata.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1552/ - https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/ drilldown_searches: -- name: View the detection results for $user_arn$ - search: '%original_detection_search% | search user_arn = $user_arn$' +- name: View the detection results for - "$user_arn$" + search: '%original_detection_search% | search user_arn = "$user_arn$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_arn$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_arn$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_arn$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_credential_access_rds_password_reset.yml b/detections/cloud/aws_credential_access_rds_password_reset.yml index de3867ffae..12fec148b6 100644 --- a/detections/cloud/aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/aws_credential_access_rds_password_reset.yml @@ -14,12 +14,12 @@ known_false_positives: Users may genuinely reset the RDS password. references: - https://aws.amazon.com/premiumsupport/knowledge-center/reset-master-user-password-rds drilldown_searches: -- name: View the detection results for $database_id$ - search: '%original_detection_search% | search database_id = $database_id$' +- name: View the detection results for - "$database_id$" + search: '%original_detection_search% | search database_id = "$database_id$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $database_id$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($database_id$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$database_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$database_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml b/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml index 5655eeb677..b4ab080433 100644 --- a/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml +++ b/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml @@ -5,36 +5,12 @@ date: '2024-10-17' author: Rico Valdez, Splunk status: experimental type: Anomaly -description: The following analytic identifies AssumeRole events where an IAM role - in a different AWS account is accessed for the first time. It detects this activity - by analyzing authentication logs and comparing the requesting and requested account - IDs, flagging new cross-account activities. This behavior is significant because - unauthorized cross-account access can indicate potential lateral movement or privilege - escalation attempts. If confirmed malicious, an attacker could gain unauthorized - access to resources in another account, potentially leading to data exfiltration, - service disruption, or further compromise of the AWS environment. -data_source: +description: The following analytic identifies AssumeRole events where an IAM role in a different AWS account is accessed for the first time. It detects this activity by analyzing authentication logs and comparing the requesting and requested account IDs, flagging new cross-account activities. This behavior is significant because unauthorized cross-account access can indicate potential lateral movement or privilege escalation attempts. If confirmed malicious, an attacker could gain unauthorized access to resources in another account, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment. +data_source: - AWS CloudTrail -search: '| tstats min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication - where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user - Authentication.src Authentication.user_role | `drop_dm_object_name(Authentication)` - | rex field=user_role "arn:aws:sts:*:(?.*):" | where vendor_account - != dest_account | rename vendor_account as requestingAccountId dest_account as requestedAccountId - | lookup previously_seen_aws_cross_account_activity requestingAccountId, requestedAccountId, - OUTPUTNEW firstTime | eval status = if(firstTime > relative_time(now(), "-24h@h"),"New - Cross Account Activity","Previously Seen") | where status = "New Cross Account - Activity" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `aws_cross_account_activity_from_previously_unseen_account_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud - provider. You should run the baseline search `Previously Seen AWS Cross Account - Activity - Initial` to build the initial table of source IP address, geographic - locations, and times. You must also enable the second baseline search `Previously - Seen AWS Cross Account Activity - Update` to keep this table up to date and to age - out old data. You can also provide additional filtering for this search by customizing - the `aws_cross_account_activity_from_previously_unseen_account_filter` macro. -known_false_positives: Using multiple AWS accounts and roles is perfectly valid behavior. - It's suspicious when an account requests privileges of an account it hasn't before. - You should validate with the account owner that this is a legitimate request. +search: '| tstats min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user Authentication.src Authentication.user_role | `drop_dm_object_name(Authentication)` | rex field=user_role "arn:aws:sts:*:(?.*):" | where vendor_account != dest_account | rename vendor_account as requestingAccountId dest_account as requestedAccountId | lookup previously_seen_aws_cross_account_activity requestingAccountId, requestedAccountId, OUTPUTNEW firstTime | eval status = if(firstTime > relative_time(now(), "-24h@h"),"New Cross Account Activity","Previously Seen") | where status = "New Cross Account Activity" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_cross_account_activity_from_previously_unseen_account_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen AWS Cross Account Activity - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen AWS Cross Account Activity - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `aws_cross_account_activity_from_previously_unseen_account_filter` macro. +known_false_positives: Using multiple AWS accounts and roles is perfectly valid behavior. It's suspicious when an account requests privileges of an account it hasn't before. You should validate with the account owner that this is a legitimate request. references: [] tags: analytic_story: @@ -42,8 +18,7 @@ tags: asset_type: AWS Instance confidence: 50 impact: 30 - message: AWS account $requestingAccountId$ is trying to access resource from some - other account $requestedAccountId$, for the first time. + message: AWS account $requestingAccountId$ is trying to access resource from some other account $requestedAccountId$, for the first time. observable: - name: requestingAccountId type: Other @@ -69,8 +44,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml index c60ac2de27..6f641c7a60 100644 --- a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml @@ -14,12 +14,12 @@ known_false_positives: While this search has no known false positives, it is pos references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: -- name: View the detection results for $user_arn$ - search: '%original_detection_search% | search user_arn = $user_arn$' +- name: View the detection results for - "$user_arn$" + search: '%original_detection_search% | search user_arn = "$user_arn$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_arn$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_arn$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_arn$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml index d6043ef834..b3592458d3 100644 --- a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -14,12 +14,12 @@ known_false_positives: While this search has no known false positives, it is pos references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: -- name: View the detection results for $user_arn$ - search: '%original_detection_search% | search user_arn = $user_arn$' +- name: View the detection results for - "$user_arn$" + search: '%original_detection_search% | search user_arn = "$user_arn$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_arn$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_arn$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_arn$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_defense_evasion_impair_security_services.yml b/detections/cloud/aws_defense_evasion_impair_security_services.yml index a30373514d..3f56568fb1 100644 --- a/detections/cloud/aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/aws_defense_evasion_impair_security_services.yml @@ -5,33 +5,19 @@ date: '2024-10-17' author: Bhavin Patel, Gowthamaraj Rajendran, Splunk status: production type: Hunting -description: The following analytic detects attempts to delete critical AWS security - service configurations, such as CloudWatch alarms, GuardDuty detectors, and Web - Application Firewall rules. It leverages CloudTrail logs to identify specific API - calls like "DeleteLogStream" and "DeleteDetector." This activity is significant - because it indicates potential efforts to disable security monitoring and evade - detection. If confirmed malicious, this could allow attackers to operate undetected, - escalate privileges, or exfiltrate data without triggering security alerts, severely - compromising the security posture of the AWS environment. +description: The following analytic detects attempts to delete critical AWS security service configurations, such as CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules. It leverages CloudTrail logs to identify specific API calls like "DeleteLogStream" and "DeleteDetector." This activity is significant because it indicates potential efforts to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, escalate privileges, or exfiltrate data without triggering security alerts, severely compromising the security posture of the AWS environment. data_source: -- AWS CloudTrail DeleteLogStream -- AWS CloudTrail DeleteDetector -- AWS CloudTrail DeleteIPSet -- AWS CloudTrail DeleteWebACL -- AWS CloudTrail DeleteRule -- AWS CloudTrail DeleteRuleGroup -- AWS CloudTrail DeleteLoggingConfiguration +- AWS CloudTrail DeleteLogStream +- AWS CloudTrail DeleteDetector +- AWS CloudTrail DeleteIPSet +- AWS CloudTrail DeleteWebACL +- AWS CloudTrail DeleteRule +- AWS CloudTrail DeleteRuleGroup +- AWS CloudTrail DeleteLoggingConfiguration - AWS CloudTrail DeleteAlarms -search: '`cloudtrail` eventName IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") - | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as - eventName values(eventSource) as eventSource values(requestParameters.*) as * by - src region user_arn aws_account_id user_type user_agent errorCode| `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `aws_defense_evasion_impair_security_services_filter`' -how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in - your AWS Environment. -known_false_positives: While this search has no known false positives, it is possible - that it is a legitimate admin activity. Please consider filtering out these noisy - events using userAgent, user_arn field names. +search: '`cloudtrail` eventName IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName values(eventSource) as eventSource values(requestParameters.*) as * by src region user_arn aws_account_id user_type user_agent errorCode| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_defense_evasion_impair_security_services_filter`' +how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. +known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. references: - https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html - https://docs.aws.amazon.com/cli/latest/reference/waf/index.html @@ -42,8 +28,7 @@ tags: asset_type: AWS Account confidence: 60 impact: 70 - message: User $user_arn$ has made potentially risky api calls $eventName$ that could - impair AWS security services for account id $aws_account_id$ + message: User $user_arn$ has made potentially risky api calls $eventName$ that could impair AWS security services for account id $aws_account_id$ mitre_attack_id: - T1562.008 - T1562 @@ -75,8 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_cloudtrail_events.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml index cc73b2412e..54486e04e6 100644 --- a/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml @@ -5,27 +5,12 @@ date: '2024-10-17' author: Bhavin Patel status: production type: Hunting -description: The following analytic detects `PutBucketLifecycle` events in AWS CloudTrail - logs where a user sets a lifecycle rule for an S3 bucket with an expiration period - of fewer than three days. This detection leverages CloudTrail logs to identify suspicious - lifecycle configurations. This activity is significant because attackers may use - it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic - investigations. If confirmed malicious, this could allow attackers to cover their - tracks, making it difficult to trace their actions and respond to the breach effectively. +description: The following analytic detects `PutBucketLifecycle` events in AWS CloudTrail logs where a user sets a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. This detection leverages CloudTrail logs to identify suspicious lifecycle configurations. This activity is significant because attackers may use it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic investigations. If confirmed malicious, this could allow attackers to cover their tracks, making it difficult to trace their actions and respond to the breach effectively. data_source: - AWS CloudTrail PutBucketLifecycle -search: '`cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success - | spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days - output=expiration_days | spath path=requestParameters{}.bucketName output=bucket_name - | stats count min(_time) as firstTime max(_time) as lastTime by src region eventName - userAgent user_arn aws_account_id expiration_days bucket_name user_type| `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | where expiration_days < 3 | `aws_defense_evasion_putbucketlifecycle_filter`' -how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in - your AWS Environment. We recommend our users to set the expiration days value according - to your company's log retention policies. -known_false_positives: While this search has no known false positives, it is possible - that it is a legitimate admin activity. Please consider filtering out these noisy - events using userAgent, user_arn field names. +search: '`cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success | spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days output=expiration_days | spath path=requestParameters{}.bucketName output=bucket_name | stats count min(_time) as firstTime max(_time) as lastTime by src region eventName userAgent user_arn aws_account_id expiration_days bucket_name user_type| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where expiration_days < 3 | `aws_defense_evasion_putbucketlifecycle_filter`' +how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies. +known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. references: - https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/ tags: @@ -34,8 +19,7 @@ tags: asset_type: AWS Account confidence: 40 impact: 50 - message: User $user_arn$ has created a new rule to on an S3 bucket $bucket_name$ - with short expiration days + message: User $user_arn$ has created a new rule to on an S3 bucket $bucket_name$ with short expiration days mitre_attack_id: - T1562.008 - T1562 @@ -68,8 +52,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/put_bucketlifecycle/aws_cloudtrail_events.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/put_bucketlifecycle/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml index d6350a946c..295ffc430a 100644 --- a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml @@ -14,12 +14,12 @@ known_false_positives: While this search has no known false positives, it is pos references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: -- name: View the detection results for $user_arn$ - search: '%original_detection_search% | search user_arn = $user_arn$' +- name: View the detection results for - "$user_arn$" + search: '%original_detection_search% | search user_arn = "$user_arn$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_arn$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_arn$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_arn$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml index a985241b1b..df108b6ae9 100644 --- a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml @@ -14,12 +14,12 @@ known_false_positives: While this search has no known false positives, it is pos references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: -- name: View the detection results for $user_arn$ - search: '%original_detection_search% | search user_arn = $user_arn$' +- name: View the detection results for - "$user_arn$" + search: '%original_detection_search% | search user_arn = "$user_arn$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_arn$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_arn$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_arn$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_detect_attach_to_role_policy.yml b/detections/cloud/aws_detect_attach_to_role_policy.yml index 51e9058c36..ac2ad5e64a 100644 --- a/detections/cloud/aws_detect_attach_to_role_policy.yml +++ b/detections/cloud/aws_detect_attach_to_role_policy.yml @@ -5,24 +5,11 @@ date: '2024-10-17' author: Rod Soto, Splunk status: experimental type: Hunting -description: The following analytic identifies a user attaching a policy to a different - role's trust policy in AWS. It leverages CloudWatch logs to detect the `attach policy` - event, extracting relevant fields such as `policyArn`, `sourceIPAddress`, and `userIdentity`. - This activity is significant as it can indicate attempts at lateral movement or - privilege escalation within the AWS environment. If confirmed malicious, an attacker - could gain elevated permissions, potentially compromising sensitive resources and - data within the AWS infrastructure. +description: The following analytic identifies a user attaching a policy to a different role's trust policy in AWS. It leverages CloudWatch logs to detect the `attach policy` event, extracting relevant fields such as `policyArn`, `sourceIPAddress`, and `userIdentity`. This activity is significant as it can indicate attempts at lateral movement or privilege escalation within the AWS environment. If confirmed malicious, an attacker could gain elevated permissions, potentially compromising sensitive resources and data within the AWS infrastructure. data_source: [] -search: '`aws_cloudwatchlogs_eks` attach policy| spath requestParameters.policyArn - | table sourceIPAddress user_access_key userIdentity.arn userIdentity.sessionContext.sessionIssuer.arn - eventName errorCode errorMessage status action requestParameters.policyArn userIdentity.sessionContext.attributes.mfaAuthenticated - userIdentity.sessionContext.attributes.creationDate | `aws_detect_attach_to_role_policy_filter`' -how_to_implement: You must install splunk AWS add-on and Splunk App for AWS. This - search works with cloudwatch logs -known_false_positives: Attach to policy can create a lot of noise. This search can - be adjusted to provide specific values to identify cases of abuse (i.e status=failure). - The search can provide context for common users attaching themselves to higher privilege - policies or even newly created policies. +search: '`aws_cloudwatchlogs_eks` attach policy| spath requestParameters.policyArn | table sourceIPAddress user_access_key userIdentity.arn userIdentity.sessionContext.sessionIssuer.arn eventName errorCode errorMessage status action requestParameters.policyArn userIdentity.sessionContext.attributes.mfaAuthenticated userIdentity.sessionContext.attributes.creationDate | `aws_detect_attach_to_role_policy_filter`' +how_to_implement: You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs +known_false_positives: Attach to policy can create a lot of noise. This search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). The search can provide context for common users attaching themselves to higher privilege policies or even newly created policies. references: [] tags: analytic_story: diff --git a/detections/cloud/aws_detect_permanent_key_creation.yml b/detections/cloud/aws_detect_permanent_key_creation.yml index 448a5a29a9..feb8296518 100644 --- a/detections/cloud/aws_detect_permanent_key_creation.yml +++ b/detections/cloud/aws_detect_permanent_key_creation.yml @@ -5,21 +5,11 @@ date: '2024-10-17' author: Rod Soto, Splunk status: experimental type: Hunting -description: The following analytic detects the creation of permanent access keys - in AWS accounts. It leverages CloudWatch logs to identify events where the `CreateAccessKey` - action is performed by IAM users. Monitoring the creation of permanent keys is crucial - as they are not created by default and are typically used for programmatic access. - If confirmed malicious, this activity could allow attackers to gain persistent access - to AWS resources, potentially leading to unauthorized actions and data exfiltration. +description: The following analytic detects the creation of permanent access keys in AWS accounts. It leverages CloudWatch logs to identify events where the `CreateAccessKey` action is performed by IAM users. Monitoring the creation of permanent keys is crucial as they are not created by default and are typically used for programmatic access. If confirmed malicious, this activity could allow attackers to gain persistent access to AWS resources, potentially leading to unauthorized actions and data exfiltration. data_source: [] -search: '`aws_cloudwatchlogs_eks` CreateAccessKey | spath eventName | search eventName=CreateAccessKey - "userIdentity.type"=IAMUser | table sourceIPAddress userName userIdentity.type userAgent - action status responseElements.accessKey.createDate responseElements.accessKey.status - responseElements.accessKey.accessKeyId |`aws_detect_permanent_key_creation_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This - search works with cloudwatch logs -known_false_positives: Not all permanent key creations are malicious. If there is - a policy of rotating keys this search can be adjusted to provide better context. +search: '`aws_cloudwatchlogs_eks` CreateAccessKey | spath eventName | search eventName=CreateAccessKey "userIdentity.type"=IAMUser | table sourceIPAddress userName userIdentity.type userAgent action status responseElements.accessKey.createDate responseElements.accessKey.status responseElements.accessKey.accessKeyId |`aws_detect_permanent_key_creation_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs +known_false_positives: Not all permanent key creations are malicious. If there is a policy of rotating keys this search can be adjusted to provide better context. references: [] tags: analytic_story: diff --git a/detections/cloud/aws_detect_role_creation.yml b/detections/cloud/aws_detect_role_creation.yml index 2d8af7490f..6b9fa9aba6 100644 --- a/detections/cloud/aws_detect_role_creation.yml +++ b/detections/cloud/aws_detect_role_creation.yml @@ -5,23 +5,11 @@ date: '2024-10-17' author: Rod Soto, Splunk status: experimental type: Hunting -description: The following analytic identifies the creation of new IAM roles by users - in AWS. It leverages CloudWatch logs to detect events where the `CreateRole` action - is performed, focusing on roles with specific trust policies. This activity is significant - as unauthorized role creation can facilitate lateral movement and privilege escalation - within the AWS environment. If confirmed malicious, attackers could gain elevated - permissions, potentially compromising sensitive resources and data. +description: The following analytic identifies the creation of new IAM roles by users in AWS. It leverages CloudWatch logs to detect events where the `CreateRole` action is performed, focusing on roles with specific trust policies. This activity is significant as unauthorized role creation can facilitate lateral movement and privilege escalation within the AWS environment. If confirmed malicious, attackers could gain elevated permissions, potentially compromising sensitive resources and data. data_source: [] -search: '`aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole - requestParameters.description=Allows* | table sourceIPAddress userIdentity.principalId - userIdentity.arn action event_name awsRegion http_user_agent mfa_auth msg requestParameters.roleName - requestParameters.description responseElements.role.arn responseElements.role.createDate - | `aws_detect_role_creation_filter`' -how_to_implement: You must install splunk AWS add-on and Splunk App for AWS. This - search works with cloudwatch logs -known_false_positives: CreateRole is not very common in common users. This search - can be adjusted to provide specific values to identify cases of abuse. In general - AWS provides plenty of trust policies that fit most use cases. +search: '`aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole requestParameters.description=Allows* | table sourceIPAddress userIdentity.principalId userIdentity.arn action event_name awsRegion http_user_agent mfa_auth msg requestParameters.roleName requestParameters.description responseElements.role.arn responseElements.role.createDate | `aws_detect_role_creation_filter`' +how_to_implement: You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs +known_false_positives: CreateRole is not very common in common users. This search can be adjusted to provide specific values to identify cases of abuse. In general AWS provides plenty of trust policies that fit most use cases. references: [] tags: analytic_story: diff --git a/detections/cloud/aws_detect_sts_assume_role_abuse.yml b/detections/cloud/aws_detect_sts_assume_role_abuse.yml index 8d32d9616a..cfac2757f8 100644 --- a/detections/cloud/aws_detect_sts_assume_role_abuse.yml +++ b/detections/cloud/aws_detect_sts_assume_role_abuse.yml @@ -5,24 +5,11 @@ date: '2024-10-17' author: Rod Soto, Splunk status: experimental type: Hunting -description: The following analytic identifies suspicious use of the AWS STS AssumeRole - action. It leverages AWS CloudTrail logs to detect instances where roles are assumed, - focusing on specific fields like source IP address, user ARN, and role names. This - activity is significant because attackers can use assumed roles to move laterally - within the AWS environment and escalate privileges. If confirmed malicious, this - could allow attackers to gain unauthorized access to sensitive resources, execute - code, or further entrench themselves within the environment, leading to potential - data breaches or service disruptions. +description: The following analytic identifies suspicious use of the AWS STS AssumeRole action. It leverages AWS CloudTrail logs to detect instances where roles are assumed, focusing on specific fields like source IP address, user ARN, and role names. This activity is significant because attackers can use assumed roles to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive resources, execute code, or further entrench themselves within the environment, leading to potential data breaches or service disruptions. data_source: [] -search: '`cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role - | table sourceIPAddress userIdentity.arn user_agent user_access_key status action - requestParameters.roleName responseElements.role.roleName responseElements.role.createDate - | `aws_detect_sts_assume_role_abuse_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This - search works with AWS CloudTrail logs -known_false_positives: Sts:AssumeRole can be very noisy as it is a standard mechanism - to provide cross account and cross resources access. This search can be adjusted - to provide specific values to identify cases of abuse. +search: '`cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role | table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate | `aws_detect_sts_assume_role_abuse_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs +known_false_positives: Sts:AssumeRole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. This search can be adjusted to provide specific values to identify cases of abuse. references: [] tags: analytic_story: diff --git a/detections/cloud/aws_detect_sts_get_session_token_abuse.yml b/detections/cloud/aws_detect_sts_get_session_token_abuse.yml index 53500ded8a..786a155632 100644 --- a/detections/cloud/aws_detect_sts_get_session_token_abuse.yml +++ b/detections/cloud/aws_detect_sts_get_session_token_abuse.yml @@ -5,23 +5,11 @@ date: '2024-10-17' author: Rod Soto, Splunk status: experimental type: Hunting -description: The following analytic identifies the suspicious use of the AWS STS GetSessionToken - API call. It leverages CloudWatch logs to detect instances where this API is invoked, - focusing on fields such as source IP address, event time, user identity, and status. - This activity is significant because attackers can use these tokens to move laterally - within the AWS environment and escalate privileges. If confirmed malicious, this - could lead to unauthorized access and control over AWS resources, potentially compromising - sensitive data and critical infrastructure. +description: The following analytic identifies the suspicious use of the AWS STS GetSessionToken API call. It leverages CloudWatch logs to detect instances where this API is invoked, focusing on fields such as source IP address, event time, user identity, and status. This activity is significant because attackers can use these tokens to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could lead to unauthorized access and control over AWS resources, potentially compromising sensitive data and critical infrastructure. data_source: [] -search: '`aws_cloudwatchlogs_eks` ASIA userIdentity.type=IAMUser| spath eventName - | search eventName=GetSessionToken | table sourceIPAddress eventTime userIdentity.arn - userName userAgent user_type status region | `aws_detect_sts_get_session_token_abuse_filter`' -how_to_implement: You must install splunk AWS add-on and Splunk App for AWS. This - search works with cloudwatch logs -known_false_positives: Sts:GetSessionToken can be very noisy as in certain environments - numerous calls of this type can be executed. This search can be adjusted to provide - specific values to identify cases of abuse. In specific environments the use of - field requestParameters.serialNumber will need to be used. +search: '`aws_cloudwatchlogs_eks` ASIA userIdentity.type=IAMUser| spath eventName | search eventName=GetSessionToken | table sourceIPAddress eventTime userIdentity.arn userName userAgent user_type status region | `aws_detect_sts_get_session_token_abuse_filter`' +how_to_implement: You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs +known_false_positives: Sts:GetSessionToken can be very noisy as in certain environments numerous calls of this type can be executed. This search can be adjusted to provide specific values to identify cases of abuse. In specific environments the use of field requestParameters.serialNumber will need to be used. references: [] tags: analytic_story: diff --git a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index e9636d32c2..bd135750bd 100644 --- a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -17,12 +17,12 @@ references: - https://github.com/d1vious/git-wild-hunt - https://www.youtube.com/watch?v=PgzNib37g0M drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml index add2b13699..0e8a27b026 100644 --- a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml +++ b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml @@ -16,12 +16,12 @@ references: - https://github.com/d1vious/git-wild-hunt - https://www.youtube.com/watch?v=PgzNib37g0M drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_disable_bucket_versioning.yml b/detections/cloud/aws_disable_bucket_versioning.yml index e8fc38c35b..6fa9db70cd 100644 --- a/detections/cloud/aws_disable_bucket_versioning.yml +++ b/detections/cloud/aws_disable_bucket_versioning.yml @@ -15,12 +15,12 @@ references: - https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82 - https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436 drilldown_searches: -- name: View the detection results for $aws_account_id$ - search: '%original_detection_search% | search aws_account_id = $aws_account_id$' +- name: View the detection results for - "$aws_account_id$" + search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $aws_account_id$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($aws_account_id$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$aws_account_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_ec2_snapshot_shared_externally.yml b/detections/cloud/aws_ec2_snapshot_shared_externally.yml index 22a622a525..ef27377ae0 100644 --- a/detections/cloud/aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/aws_ec2_snapshot_shared_externally.yml @@ -16,12 +16,12 @@ references: - https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/ - https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/ drilldown_searches: -- name: View the detection results for $aws_account_id$ - search: '%original_detection_search% | search aws_account_id = $aws_account_id$' +- name: View the detection results for - "$aws_account_id$" + search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $aws_account_id$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($aws_account_id$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$aws_account_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_ecr_container_scanning_findings_high.yml b/detections/cloud/aws_ecr_container_scanning_findings_high.yml index 0327f9cb2d..d2a76017a5 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_high.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_high.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html drilldown_searches: -- name: View the detection results for $repository$ - search: '%original_detection_search% | search repository = $repository$' +- name: View the detection results for - "$repository$" + search: '%original_detection_search% | search repository = "$repository$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $repository$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($repository$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$repository$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml index b2f02f533c..245e8ca743 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html drilldown_searches: -- name: View the detection results for $repository$ - search: '%original_detection_search% | search repository = $repository$' +- name: View the detection results for - "$repository$" + search: '%original_detection_search% | search repository = "$repository$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $repository$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($repository$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$repository$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml index 11e1fe7d7d..ee7ebcdc9a 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html drilldown_searches: -- name: View the detection results for $repository$ - search: '%original_detection_search% | search repository = $repository$' +- name: View the detection results for - "$repository$" + search: '%original_detection_search% | search repository = "$repository$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $repository$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($repository$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$repository$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml index 16e1b0f3ef..4b6163a01a 100644 --- a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml @@ -14,12 +14,12 @@ known_false_positives: When your development is spreaded in different time zones references: - https://attack.mitre.org/techniques/T1204/003/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_ecr_container_upload_unknown_user.yml b/detections/cloud/aws_ecr_container_upload_unknown_user.yml index a66ac1cc45..291255f240 100644 --- a/detections/cloud/aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/aws_ecr_container_upload_unknown_user.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://attack.mitre.org/techniques/T1204/003/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_excessive_security_scanning.yml b/detections/cloud/aws_excessive_security_scanning.yml index fa059e8b5f..0ef9f0ba6e 100644 --- a/detections/cloud/aws_excessive_security_scanning.yml +++ b/detections/cloud/aws_excessive_security_scanning.yml @@ -14,12 +14,12 @@ known_false_positives: While this search has no known false positives. references: - https://github.com/aquasecurity/cloudsploit drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml index 35c30c620b..164fa36716 100644 --- a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml +++ b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml @@ -16,12 +16,12 @@ references: - https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Anomalydetection - https://www.vectra.ai/blogpost/abusing-the-replicator-silently-exfiltrating-data-with-the-aws-s3-replication-service drilldown_searches: -- name: View the detection results for $aws_account_id$ - search: '%original_detection_search% | search aws_account_id = $aws_account_id$' +- name: View the detection results for - "$aws_account_id$" + search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $aws_account_id$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($aws_account_id$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$aws_account_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_exfiltration_via_batch_service.yml b/detections/cloud/aws_exfiltration_via_batch_service.yml index a7f6dab3ac..b781649f91 100644 --- a/detections/cloud/aws_exfiltration_via_batch_service.yml +++ b/detections/cloud/aws_exfiltration_via_batch_service.yml @@ -15,12 +15,12 @@ references: - https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/ - https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436 drilldown_searches: -- name: View the detection results for $aws_account_id$ - search: '%original_detection_search% | search aws_account_id = $aws_account_id$' +- name: View the detection results for - "$aws_account_id$" + search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $aws_account_id$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($aws_account_id$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$aws_account_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_exfiltration_via_bucket_replication.yml b/detections/cloud/aws_exfiltration_via_bucket_replication.yml index 3e04f1d5f7..71340c194c 100644 --- a/detections/cloud/aws_exfiltration_via_bucket_replication.yml +++ b/detections/cloud/aws_exfiltration_via_bucket_replication.yml @@ -14,12 +14,12 @@ known_false_positives: It is possible that an AWS admin has legitimately impleme references: - https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/ drilldown_searches: -- name: View the detection results for $user_arn$ and $aws_account_id$ - search: '%original_detection_search% | search user_arn = $user_arn$ aws_account_id = $aws_account_id$' +- name: View the detection results for - "$user_arn$" and "$aws_account_id$" + search: '%original_detection_search% | search user_arn = "$user_arn$" aws_account_id = "$aws_account_id$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_arn$ and $aws_account_id$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_arn$, $aws_account_id$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_arn$" and "$aws_account_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$", "$aws_account_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_exfiltration_via_datasync_task.yml b/detections/cloud/aws_exfiltration_via_datasync_task.yml index 40ffa237c4..94e59c0583 100644 --- a/detections/cloud/aws_exfiltration_via_datasync_task.yml +++ b/detections/cloud/aws_exfiltration_via_datasync_task.yml @@ -15,12 +15,12 @@ references: - https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/ - https://www.shehackske.com/how-to/data-exfiltration-on-cloud-1606/ drilldown_searches: -- name: View the detection results for $aws_account_id$ - search: '%original_detection_search% | search aws_account_id = $aws_account_id$' +- name: View the detection results for - "$aws_account_id$" + search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $aws_account_id$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($aws_account_id$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$aws_account_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml index 61ef9e24a1..3a8df695ce 100644 --- a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml +++ b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml @@ -20,12 +20,12 @@ references: - https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436 - https://stratus-red-team.cloud/attack-techniques/list/ drilldown_searches: -- name: View the detection results for $aws_account_id$ - search: '%original_detection_search% | search aws_account_id = $aws_account_id$' +- name: View the detection results for - "$aws_account_id$" + search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $aws_account_id$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($aws_account_id$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$aws_account_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml index 40d962e9a1..255ec8a16b 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml @@ -14,12 +14,12 @@ known_false_positives: A user with more than 20 failed authentication attempts i references: - https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html drilldown_searches: -- name: View the detection results for $user_name$ - search: '%original_detection_search% | search user_name = $user_name$' +- name: View the detection results for - "$user_name$" + search: '%original_detection_search% | search user_name = "$user_name$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_name$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_name$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml index 3f97408815..660947adec 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml @@ -16,12 +16,12 @@ references: - https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/ - https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/ drilldown_searches: -- name: View the detection results for $tried_accounts$ - search: '%original_detection_search% | search tried_accounts = $tried_accounts$' +- name: View the detection results for - "$tried_accounts$" + search: '%original_detection_search% | search tried_accounts = "$tried_accounts$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $tried_accounts$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($tried_accounts$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$tried_accounts$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_iam_accessdenied_discovery_events.yml b/detections/cloud/aws_iam_accessdenied_discovery_events.yml index 77a3540474..c68b8b492b 100644 --- a/detections/cloud/aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/aws_iam_accessdenied_discovery_events.yml @@ -14,12 +14,12 @@ known_false_positives: It is possible to start this detection will need to be tu references: - https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/ drilldown_searches: -- name: View the detection results for $userIdentity.arn$ - search: '%original_detection_search% | search userIdentity.arn = $userIdentity.arn$' +- name: View the detection results for - "$userIdentity.arn$" + search: '%original_detection_search% | search userIdentity.arn = "$userIdentity.arn$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $userIdentity.arn$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($userIdentity.arn$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$userIdentity.arn$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$userIdentity.arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml index 090392e350..642ae1547a 100644 --- a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml +++ b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml @@ -16,12 +16,12 @@ references: - https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/ - https://www.elastic.co/guide/en/security/current/aws-iam-brute-force-of-assume-role-policy.html drilldown_searches: -- name: View the detection results for $user_arn$ - search: '%original_detection_search% | search user_arn = $user_arn$' +- name: View the detection results for - "$user_arn$" + search: '%original_detection_search% | search user_arn = "$user_arn$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_arn$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_arn$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_arn$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_iam_delete_policy.yml b/detections/cloud/aws_iam_delete_policy.yml index 55c4926a5f..cf68ebc5f7 100644 --- a/detections/cloud/aws_iam_delete_policy.yml +++ b/detections/cloud/aws_iam_delete_policy.yml @@ -5,28 +5,12 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the deletion of an IAM policy in AWS. - It leverages AWS CloudTrail logs to identify `DeletePolicy` events, excluding those - from AWS internal services. This activity is significant as unauthorized policy - deletions can disrupt access controls and weaken security postures. If confirmed - malicious, an attacker could remove critical security policies, potentially leading - to privilege escalation, unauthorized access, or data exfiltration. Monitoring this - behavior helps ensure that only authorized changes are made to IAM policies, maintaining - the integrity and security of the AWS environment. +description: The following analytic detects the deletion of an IAM policy in AWS. It leverages AWS CloudTrail logs to identify `DeletePolicy` events, excluding those from AWS internal services. This activity is significant as unauthorized policy deletions can disrupt access controls and weaken security postures. If confirmed malicious, an attacker could remove critical security policies, potentially leading to privilege escalation, unauthorized access, or data exfiltration. Monitoring this behavior helps ensure that only authorized changes are made to IAM policies, maintaining the integrity and security of the AWS environment. data_source: - AWS CloudTrail DeletePolicy -search: '`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stats - count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) - as policyArn by src user_arn eventName eventSource aws_account_id errorCode errorMessage - userAgent eventID awsRegion userIdentity.principalId | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter`' -how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize - this data. The search requires AWS CloudTrail logs. -known_false_positives: This detection will require tuning to provide high fidelity - detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) - or by groups of users. Not every user with AWS access should have permission to - delete policies (least privilege). In addition, this may be saved seperately and - tuned for failed or success attempts only. +search: '`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policyArn by src user_arn eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter`' +how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. +known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. references: - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html - https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy.html @@ -36,8 +20,7 @@ tags: asset_type: AWS Account confidence: 50 impact: 20 - message: User $user_arn$ has deleted AWS Policies from IP address $src$ by executing - the following command $eventName$ + message: User $user_arn$ has deleted AWS Policies from IP address $src$ by executing the following command $eventName$ mitre_attack_id: - T1098 observable: @@ -64,8 +47,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/aws_iam_delete_policy.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/aws_iam_delete_policy.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_iam_failure_group_deletion.yml b/detections/cloud/aws_iam_failure_group_deletion.yml index 00cbe505ec..5a154ffabb 100644 --- a/detections/cloud/aws_iam_failure_group_deletion.yml +++ b/detections/cloud/aws_iam_failure_group_deletion.yml @@ -15,12 +15,12 @@ references: - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html drilldown_searches: -- name: View the detection results for $user_arn$ - search: '%original_detection_search% | search user_arn = $user_arn$' +- name: View the detection results for - "$user_arn$" + search: '%original_detection_search% | search user_arn = "$user_arn$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_arn$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_arn$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_arn$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_iam_successful_group_deletion.yml b/detections/cloud/aws_iam_successful_group_deletion.yml index ceea49388c..1a0a4cdd0b 100644 --- a/detections/cloud/aws_iam_successful_group_deletion.yml +++ b/detections/cloud/aws_iam_successful_group_deletion.yml @@ -5,27 +5,12 @@ date: '2024-10-22' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies the successful deletion of an IAM group - in AWS. It leverages CloudTrail logs to detect `DeleteGroup` events with a success - status. This activity is significant as it could indicate potential changes in user - permissions or access controls, which may be a precursor to further unauthorized - actions. If confirmed malicious, an attacker could disrupt access management, potentially - leading to privilege escalation or unauthorized access to sensitive resources. Analysts - should review related IAM events, such as recent user additions or new group creations, - to assess the broader context. +description: The following analytic identifies the successful deletion of an IAM group in AWS. It leverages CloudTrail logs to detect `DeleteGroup` events with a success status. This activity is significant as it could indicate potential changes in user permissions or access controls, which may be a precursor to further unauthorized actions. If confirmed malicious, an attacker could disrupt access management, potentially leading to privilege escalation or unauthorized access to sensitive resources. Analysts should review related IAM events, such as recent user additions or new group creations, to assess the broader context. data_source: - AWS CloudTrail DeleteGroup -search: '`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success - (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as - lastTime values(requestParameters.groupName) as group_deleted by src eventName eventSource - errorCode user_agent awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_iam_successful_group_deletion_filter`' -how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize - this data. The search requires AWS CloudTrail logs. -known_false_positives: This detection will require tuning to provide high fidelity - detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) - or by groups of users. Not every user with AWS access should have permission to - delete groups (least privilege). +search: '`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_deleted by src eventName eventSource errorCode user_agent awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_successful_group_deletion_filter`' +how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. +known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). references: - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html @@ -35,8 +20,7 @@ tags: asset_type: AWS Account confidence: 50 impact: 10 - message: User $user_arn$ has sucessfully deleted mulitple groups $group_deleted$ - from $src$ + message: User $user_arn$ has sucessfully deleted mulitple groups $group_deleted$ from $src$ mitre_attack_id: - T1069.003 - T1098 @@ -69,8 +53,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/aws_iam_successful_group_deletion.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/aws_iam_successful_group_deletion.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_lambda_updatefunctioncode.yml b/detections/cloud/aws_lambda_updatefunctioncode.yml index e25a16f1e2..7a6423711f 100644 --- a/detections/cloud/aws_lambda_updatefunctioncode.yml +++ b/detections/cloud/aws_lambda_updatefunctioncode.yml @@ -5,23 +5,12 @@ date: '2024-10-22' author: Bhavin Patel, Splunk status: production type: Hunting -description: The following analytic identifies IAM users attempting to update or modify - AWS Lambda code via the AWS CLI. It leverages CloudTrail logs to detect successful - `UpdateFunctionCode` events initiated by IAM users. This activity is significant - as it may indicate an attempt to gain persistence, further access, or plant backdoors - within your AWS environment. If confirmed malicious, an attacker could upload and - execute malicious code automatically when the Lambda function is triggered, potentially - compromising the integrity and security of your AWS infrastructure. +description: The following analytic identifies IAM users attempting to update or modify AWS Lambda code via the AWS CLI. It leverages CloudTrail logs to detect successful `UpdateFunctionCode` events initiated by IAM users. This activity is significant as it may indicate an attempt to gain persistence, further access, or plant backdoors within your AWS environment. If confirmed malicious, an attacker could upload and execute malicious code automatically when the Lambda function is triggered, potentially compromising the integrity and security of your AWS infrastructure. data_source: - AWS CloudTrail -search: '`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode - = success user_type=IAMUser | stats count min(_time) as firstTime max(_time) as - lastTime values(requestParameters.functionName) as function_updated by src_ip user_arn - user_agent user_type eventName aws_account_id |`aws_lambda_updatefunctioncode_filter`' -how_to_implement: You must install Splunk AWS Add on and enable Cloudtrail logs in - your AWS Environment. -known_false_positives: While this search has no known false positives, it is possible - that an AWS admin or an autorized IAM user has updated the lambda fuction code legitimately. +search: '`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode = success user_type=IAMUser | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id |`aws_lambda_updatefunctioncode_filter`' +how_to_implement: You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment. +known_false_positives: While this search has no known false positives, it is possible that an AWS admin or an autorized IAM user has updated the lambda fuction code legitimately. references: - http://detectioninthe.cloud/execution/modify_lambda_function_code/ - https://sysdig.com/blog/exploit-mitigate-aws-lambdas-mitre/ @@ -31,8 +20,7 @@ tags: asset_type: AWS Account confidence: 90 impact: 70 - message: User $user_arn$ is attempting to update the lambda function code of $function_updated$ - from this IP $src_ip$ + message: User $user_arn$ is attempting to update the lambda function code of $function_updated$ from this IP $src_ip$ mitre_attack_id: - T1204 observable: @@ -58,8 +46,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_cloudtrail_events.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_multi_factor_authentication_disabled.yml b/detections/cloud/aws_multi_factor_authentication_disabled.yml index 3f3aaacda9..7ac1b5a8b4 100644 --- a/detections/cloud/aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/aws_multi_factor_authentication_disabled.yml @@ -16,12 +16,12 @@ references: - https://attack.mitre.org/techniques/T1621/ - https://aws.amazon.com/what-is/mfa/ drilldown_searches: -- name: View the detection results for $aws_account_id$ and $user_name$ - search: '%original_detection_search% | search aws_account_id = $aws_account_id$ user_name = $user_name$' +- name: View the detection results for - "$aws_account_id$" and "$user_name$" + search: '%original_detection_search% | search aws_account_id = "$aws_account_id$" user_name = "$user_name$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $aws_account_id$ and $user_name$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($aws_account_id$, $user_name$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$aws_account_id$" and "$user_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$", "$user_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml index 7f571d2b49..c40308c3db 100644 --- a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1621/ - https://aws.amazon.com/what-is/mfa/ drilldown_searches: -- name: View the detection results for $user_name$ - search: '%original_detection_search% | search user_name = $user_name$' +- name: View the detection results for - "$user_name$" + search: '%original_detection_search% | search user_name = "$user_name$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_name$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_name$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml index 3a25c2a147..9ac352c9ef 100644 --- a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml @@ -16,12 +16,12 @@ references: - https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/ - https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/ drilldown_searches: -- name: View the detection results for $tried_accounts$ - search: '%original_detection_search% | search tried_accounts = $tried_accounts$' +- name: View the detection results for - "$tried_accounts$" + search: '%original_detection_search% | search tried_accounts = "$tried_accounts$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $tried_accounts$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($tried_accounts$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$tried_accounts$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml index f73c98c7b4..451dcbaaa5 100644 --- a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml +++ b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml @@ -14,12 +14,12 @@ how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or late known_false_positives: It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment. references: [] drilldown_searches: -- name: View the detection results for $user_arn$ - search: '%original_detection_search% | search user_arn = $user_arn$' +- name: View the detection results for - "$user_arn$" + search: '%original_detection_search% | search user_arn = "$user_arn$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_arn$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_arn$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_arn$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_network_access_control_list_deleted.yml b/detections/cloud/aws_network_access_control_list_deleted.yml index bbd2cc700f..5202562353 100644 --- a/detections/cloud/aws_network_access_control_list_deleted.yml +++ b/detections/cloud/aws_network_access_control_list_deleted.yml @@ -13,12 +13,12 @@ how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or late known_false_positives: It's possible that a user has legitimately deleted a network ACL. references: [] drilldown_searches: -- name: View the detection results for $user_arn$ - search: '%original_detection_search% | search user_arn = $user_arn$' +- name: View the detection results for - "$user_arn$" + search: '%original_detection_search% | search user_arn = "$user_arn$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_arn$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_arn$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_arn$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_new_mfa_method_registered_for_user.yml b/detections/cloud/aws_new_mfa_method_registered_for_user.yml index 0846ce02c3..644a6ca2de 100644 --- a/detections/cloud/aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/aws_new_mfa_method_registered_for_user.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1556/006/ - https://twitter.com/jhencinski/status/1618660062352007174 drilldown_searches: -- name: View the detection results for $user_arn$ - search: '%original_detection_search% | search user_arn = $user_arn$' +- name: View the detection results for - "$user_arn$" + search: '%original_detection_search% | search user_arn = "$user_arn$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_arn$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_arn$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_arn$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_password_policy_changes.yml b/detections/cloud/aws_password_policy_changes.yml index adf2f18ca5..b09c1efbf5 100644 --- a/detections/cloud/aws_password_policy_changes.yml +++ b/detections/cloud/aws_password_policy_changes.yml @@ -5,28 +5,14 @@ date: '2024-10-17' author: Bhavin Patel, Splunk status: production type: Hunting -description: The following analytic detects successful API calls to view, update, - or delete the password policy in an AWS organization. It leverages AWS CloudTrail - logs to identify events such as "UpdateAccountPasswordPolicy," "GetAccountPasswordPolicy," - and "DeleteAccountPasswordPolicy." This activity is significant because it is uncommon - for regular users to perform these actions, and such changes can indicate an adversary - attempting to understand or weaken password defenses. If confirmed malicious, this - could lead to compromised accounts and increased attack surface, potentially allowing - unauthorized access and control over AWS resources. +description: The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as "UpdateAccountPasswordPolicy," "GetAccountPasswordPolicy," and "DeleteAccountPasswordPolicy." This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources. data_source: -- AWS CloudTrail UpdateAccountPasswordPolicy -- AWS CloudTrail GetAccountPasswordPolicy +- AWS CloudTrail UpdateAccountPasswordPolicy +- AWS CloudTrail GetAccountPasswordPolicy - AWS CloudTrail DeleteAccountPasswordPolicy -search: '`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") - errorCode=success | stats count values(eventName) as eventName values(userAgent) - min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion - userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | - `security_content_ctime(lastTime)` | `aws_password_policy_changes_filter`' -how_to_implement: You must install Splunk AWS Add on and Splunk App for AWS. This - search works with AWS CloudTrail logs. -known_false_positives: While this search has no known false positives, it is possible - that an AWS admin has legitimately triggered an AWS audit tool activity which may - trigger this event. +search: '`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success | stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_password_policy_changes_filter`' +how_to_implement: You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. +known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event. references: - https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html tags: @@ -36,8 +22,7 @@ tags: asset_type: AWS Account confidence: 80 impact: 90 - message: User $user_arn$ is attempting to $eventName$ the password policy for account - id $aws_account_id$ + message: User $user_arn$ is attempting to $eventName$ the password policy for account id $aws_account_id$ mitre_attack_id: - T1201 observable: @@ -68,8 +53,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/aws_password_policy/cloudtrail.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/aws_password_policy/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_s3_exfiltration_behavior_identified.yml b/detections/cloud/aws_s3_exfiltration_behavior_identified.yml index 1803e6d306..e7f799bd4e 100644 --- a/detections/cloud/aws_s3_exfiltration_behavior_identified.yml +++ b/detections/cloud/aws_s3_exfiltration_behavior_identified.yml @@ -15,12 +15,12 @@ references: - https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/ - https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/ drilldown_searches: -- name: View the detection results for $risk_object$ - search: '%original_detection_search% | search risk_object = $risk_object$' +- name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $risk_object$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($risk_object$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml b/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml index b05062af05..cdc1df64c1 100644 --- a/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml +++ b/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml @@ -17,12 +17,12 @@ references: - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf - https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps drilldown_searches: -- name: View the detection results for $recipientAccountId$ - search: '%original_detection_search% | search recipientAccountId = $recipientAccountId$' +- name: View the detection results for - "$recipientAccountId$" + search: '%original_detection_search% | search recipientAccountId = "$recipientAccountId$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $recipientAccountId$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($recipientAccountId$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$recipientAccountId$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$recipientAccountId$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_saml_update_identity_provider.yml b/detections/cloud/aws_saml_update_identity_provider.yml index f7352bfcf7..08f761d472 100644 --- a/detections/cloud/aws_saml_update_identity_provider.yml +++ b/detections/cloud/aws_saml_update_identity_provider.yml @@ -17,12 +17,12 @@ references: - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf - https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps drilldown_searches: -- name: View the detection results for $userIdentity.principalId$ - search: '%original_detection_search% | search userIdentity.principalId = $userIdentity.principalId$' +- name: View the detection results for - "$userIdentity.principalId$" + search: '%original_detection_search% | search userIdentity.principalId = "$userIdentity.principalId$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $userIdentity.principalId$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($userIdentity.principalId$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$userIdentity.principalId$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$userIdentity.principalId$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_setdefaultpolicyversion.yml b/detections/cloud/aws_setdefaultpolicyversion.yml index f5b79f74e8..ce14202849 100644 --- a/detections/cloud/aws_setdefaultpolicyversion.yml +++ b/detections/cloud/aws_setdefaultpolicyversion.yml @@ -15,12 +15,12 @@ references: - https://bishopfox.com/blog/privilege-escalation-in-aws - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ drilldown_searches: -- name: View the detection results for $user_arn$ - search: '%original_detection_search% | search user_arn = $user_arn$' +- name: View the detection results for - "$user_arn$" + search: '%original_detection_search% | search user_arn = "$user_arn$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_arn$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_arn$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_arn$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml index ab06c20544..13c9247aa6 100644 --- a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml +++ b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml @@ -14,12 +14,12 @@ known_false_positives: A user with successful authentication events from differe references: - https://rhinosecuritylabs.com/aws/mfa-phishing-on-aws/ drilldown_searches: -- name: View the detection results for $user_arn$ - search: '%original_detection_search% | search user_arn = $user_arn$' +- name: View the detection results for - "$user_arn$" + search: '%original_detection_search% | search user_arn = "$user_arn$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_arn$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_arn$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_arn$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_successful_single_factor_authentication.yml b/detections/cloud/aws_successful_single_factor_authentication.yml index 45e83cc45d..4fb97224a7 100644 --- a/detections/cloud/aws_successful_single_factor_authentication.yml +++ b/detections/cloud/aws_successful_single_factor_authentication.yml @@ -16,12 +16,12 @@ references: - https://attack.mitre.org/techniques/T1078/004/ - https://aws.amazon.com/what-is/mfa/ drilldown_searches: -- name: View the detection results for $user_name$ - search: '%original_detection_search% | search user_name = $user_name$' +- name: View the detection results for - "$user_name$" + search: '%original_detection_search% | search user_name = "$user_name$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_name$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_name$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml index 70ecd35dcf..bd7f9794e1 100644 --- a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml @@ -16,12 +16,12 @@ references: - https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/ - https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/ drilldown_searches: -- name: View the detection results for $tried_accounts$ - search: '%original_detection_search% | search tried_accounts = $tried_accounts$' +- name: View the detection results for - "$tried_accounts$" + search: '%original_detection_search% | search tried_accounts = "$tried_accounts$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $tried_accounts$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($tried_accounts$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$tried_accounts$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/aws_updateloginprofile.yml b/detections/cloud/aws_updateloginprofile.yml index 0b0e0a9d71..5b7afc1a65 100644 --- a/detections/cloud/aws_updateloginprofile.yml +++ b/detections/cloud/aws_updateloginprofile.yml @@ -15,12 +15,12 @@ references: - https://bishopfox.com/blog/privilege-escalation-in-aws - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ drilldown_searches: -- name: View the detection results for $user_arn$ - search: '%original_detection_search% | search user_arn = $user_arn$' +- name: View the detection results for - "$user_arn$" + search: '%original_detection_search% | search user_arn = "$user_arn$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_arn$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_arn$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_arn$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_active_directory_high_risk_sign_in.yml b/detections/cloud/azure_active_directory_high_risk_sign_in.yml index c8600edc1e..c12e138e56 100644 --- a/detections/cloud/azure_active_directory_high_risk_sign_in.yml +++ b/detections/cloud/azure_active_directory_high_risk_sign_in.yml @@ -17,12 +17,12 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection - https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml b/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml index 0e24140270..bcf5ca35c1 100644 --- a/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml +++ b/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml @@ -14,12 +14,12 @@ known_false_positives: Service Principals are sometimes configured to legitimate references: - https://attack.mitre.org/techniques/T1098/003/ drilldown_searches: -- name: View the detection results for $user$ and $src_user$ - search: '%original_detection_search% | search user = $user$ src_user = $src_user$' +- name: View the detection results for - "$user$" and "$src_user$" + search: '%original_detection_search% | search user = "$user$" src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_application_administrator_role_assigned.yml b/detections/cloud/azure_ad_application_administrator_role_assigned.yml index d90dc4e2f7..5b148f2137 100644 --- a/detections/cloud/azure_ad_application_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_application_administrator_role_assigned.yml @@ -18,12 +18,12 @@ references: - https://attack.mitre.org/techniques/T1098/003/ - https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml index 459829c35b..5625c1c171 100644 --- a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml +++ b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml @@ -16,12 +16,12 @@ references: - https://attack.mitre.org/techniques/T1078/004/ - https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml b/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml index 71da366678..e7fed2c8eb 100644 --- a/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml +++ b/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml @@ -17,12 +17,12 @@ references: - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-risk-based-step-up-consent - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml index 2dd2f5b49f..2753e73925 100644 --- a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml @@ -16,12 +16,12 @@ references: - https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/ - https://github.com/kgretzky/evilginx2 drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_device_code_authentication.yml b/detections/cloud/azure_ad_device_code_authentication.yml index 90c827e9ba..87ea1fab30 100644 --- a/detections/cloud/azure_ad_device_code_authentication.yml +++ b/detections/cloud/azure_ad_device_code_authentication.yml @@ -18,12 +18,12 @@ references: - https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html - https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_external_guest_user_invited.yml b/detections/cloud/azure_ad_external_guest_user_invited.yml index 54237b71c2..7efe7bace2 100644 --- a/detections/cloud/azure_ad_external_guest_user_invited.yml +++ b/detections/cloud/azure_ad_external_guest_user_invited.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1136/003/ - https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml b/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml index fffdb3a73d..4d11032bed 100644 --- a/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml +++ b/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml @@ -16,12 +16,12 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ - https://attack.mitre.org/techniques/T1098/002/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_global_administrator_role_assigned.yml b/detections/cloud/azure_ad_global_administrator_role_assigned.yml index c2e2312ffc..34e0d25a4a 100644 --- a/detections/cloud/azure_ad_global_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_global_administrator_role_assigned.yml @@ -19,12 +19,12 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin - https://attack.mitre.org/techniques/T1098/003/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml index 5ce7f51ac9..d228df26b5 100644 --- a/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1110/ - https://attack.mitre.org/techniques/T1110/001/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml index 43009e0227..81a682ea42 100644 --- a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml @@ -16,12 +16,12 @@ references: - https://attack.mitre.org/techniques/T1110/001/ - https://attack.mitre.org/techniques/T1110/003/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml index e5260c6efc..b731fd24d7 100644 --- a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml +++ b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/tactics/TA0005/ - https://attack.mitre.org/techniques/T1556/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml index d7039b9e9b..762edbf371 100644 --- a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml +++ b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml @@ -7,40 +7,10 @@ status: production type: Hunting data_source: - Azure Active Directory -description: The following analytic detects potential distributed password spraying - attacks in an Azure AD environment. It identifies a spike in failed authentication - attempts across various user-and-IP combinations from multiple source IPs and countries, - using different user agents. This detection leverages Azure AD SignInLogs, focusing - on error code 50126 for failed authentications. This activity is significant as - it indicates an adversary's attempt to bypass security controls by distributing - login attempts. If confirmed malicious, this could lead to unauthorized access, - data breaches, privilege escalation, and lateral movement within the organization's - infrastructure. -search: '`azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 - properties.authenticationDetails{}.succeeded=false | rename properties.* as * | - bucket span=5m _time | eval uniqueIPUserCombo = src_ip . "-" . user | stats count - min(_time) as firstTime max(_time) as lastTime dc(uniqueIPUserCombo) as uniqueIpUserCombinations, - dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, dc(user_agent) as uniqueUserAgents, - dc(location.countryOrRegion) as uniqueCountries values(user) as user, values(src_ip) - as ips, values(user_agent) as user_agents, values(location.countryOrRegion) as countries - | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 AND - uniqueUserAgents = 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `azure_ad_multi_source_failed_authentications_spike_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft - Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment - through an EventHub. This analytic was written to be used with the azure:monitor:aad - sourcetype leveraging the SignInLogs log category. The thresholds set within the - analytic (such as unique IPs, unique users, etc.) are initial guidelines and should - be customized based on the organization's user behavior and risk profile. Security - teams are encouraged to adjust these thresholds to optimize the balance between - detecting genuine threats and minimizing false positives, ensuring the detection - is tailored to their specific environment. -known_false_positives: This detection may yield false positives in scenarios where - legitimate bulk sign-in activities occur, such as during company-wide system updates - or when users are accessing resources from varying locations in a short time frame, - such as in the case of VPNs or cloud services that rotate IP addresses. Filter as - needed. +description: The following analytic detects potential distributed password spraying attacks in an Azure AD environment. It identifies a spike in failed authentication attempts across various user-and-IP combinations from multiple source IPs and countries, using different user agents. This detection leverages Azure AD SignInLogs, focusing on error code 50126 for failed authentications. This activity is significant as it indicates an adversary's attempt to bypass security controls by distributing login attempts. If confirmed malicious, this could lead to unauthorized access, data breaches, privilege escalation, and lateral movement within the organization's infrastructure. +search: '`azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . "-" . user | stats count min(_time) as firstTime max(_time) as lastTime dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, dc(user_agent) as uniqueUserAgents, dc(location.countryOrRegion) as uniqueCountries values(user) as user, values(src_ip) as ips, values(user_agent) as user_agents, values(location.countryOrRegion) as countries | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 AND uniqueUserAgents = 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multi_source_failed_authentications_spike_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. +known_false_positives: This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray @@ -83,7 +53,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log source: Azure AD sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml index f4583b4742..5afdf5ba30 100644 --- a/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml +++ b/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml @@ -17,12 +17,12 @@ references: - https://github.com/dafthack/MFASweep - https://www.youtube.com/watch?v=SK1zgqaAZ2E drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml index f97abb7ad2..fdabbd592b 100644 --- a/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml +++ b/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml @@ -19,12 +19,12 @@ references: - https://attack.mitre.org/techniques/T1078/004/ - https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml index 56eb3318bb..cedeef1f6f 100644 --- a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml @@ -19,12 +19,12 @@ references: - https://attack.mitre.org/techniques/T1078/004/ - https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml b/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml index e8556be98d..1b5a88d8d8 100644 --- a/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml +++ b/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1136/003/ - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml b/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml index 37f029f0ad..0e32c6949f 100644 --- a/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml +++ b/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1136/003/ - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml index fd97cacd20..140fa49f80 100644 --- a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml @@ -17,12 +17,12 @@ references: - https://www.cisa.gov/uscert/ncas/alerts/aa21-008a - https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_new_custom_domain_added.yml b/detections/cloud/azure_ad_new_custom_domain_added.yml index 34ec4a1858..a882652264 100644 --- a/detections/cloud/azure_ad_new_custom_domain_added.yml +++ b/detections/cloud/azure_ad_new_custom_domain_added.yml @@ -19,12 +19,12 @@ references: - https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors - https://attack.mitre.org/techniques/T1484/002/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_new_federated_domain_added.yml b/detections/cloud/azure_ad_new_federated_domain_added.yml index 5bcb4448bb..4ed7fcabff 100644 --- a/detections/cloud/azure_ad_new_federated_domain_added.yml +++ b/detections/cloud/azure_ad_new_federated_domain_added.yml @@ -18,12 +18,12 @@ references: - https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors - https://attack.mitre.org/techniques/T1484/002/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_new_mfa_method_registered.yml b/detections/cloud/azure_ad_new_mfa_method_registered.yml index 96b434d13e..01c60a3fa0 100644 --- a/detections/cloud/azure_ad_new_mfa_method_registered.yml +++ b/detections/cloud/azure_ad_new_mfa_method_registered.yml @@ -16,12 +16,12 @@ references: - https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/ - https://www.csoonline.com/article/573451/sophisticated-bec-scammers-bypass-microsoft-365-multi-factor-authentication.html drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml index 7eab5b3ff7..787f7c5816 100644 --- a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1556/006/ - https://twitter.com/jhencinski/status/1618660062352007174 drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml b/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml index 39126116c5..9b370e317d 100644 --- a/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml +++ b/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml @@ -19,12 +19,12 @@ references: - https://www.alteredsecurity.com/post/introduction-to-365-stealer - https://github.com/AlteredSecurity/365-Stealer drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_pim_role_assigned.yml b/detections/cloud/azure_ad_pim_role_assigned.yml index 27221f5b38..3c10452668 100644 --- a/detections/cloud/azure_ad_pim_role_assigned.yml +++ b/detections/cloud/azure_ad_pim_role_assigned.yml @@ -16,12 +16,12 @@ references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role - https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_pim_role_assignment_activated.yml b/detections/cloud/azure_ad_pim_role_assignment_activated.yml index 17ef603578..b3ef1f5dc4 100644 --- a/detections/cloud/azure_ad_pim_role_assignment_activated.yml +++ b/detections/cloud/azure_ad_pim_role_assignment_activated.yml @@ -16,12 +16,12 @@ references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role - https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml index f7d32cc4ec..84ff7183e3 100644 --- a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml @@ -16,12 +16,12 @@ references: - https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48 - https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml b/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml index 97b49a0afb..e7ca09a520 100644 --- a/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml +++ b/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml @@ -18,12 +18,12 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ - https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48 drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml index 813943b237..8f3e9b1cd3 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned.yml @@ -19,12 +19,12 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning - https://attack.mitre.org/techniques/T1098/003/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml b/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml index 6d61978733..1a4892d35f 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml @@ -14,12 +14,12 @@ known_false_positives: Administrators may legitimately assign the privileged rol references: - https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5 drilldown_searches: -- name: View the detection results for $initiatedBy$ - search: '%original_detection_search% | search initiatedBy = $initiatedBy$' +- name: View the detection results for - "$initiatedBy$" + search: '%original_detection_search% | search initiatedBy = "$initiatedBy$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $initiatedBy$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($initiatedBy$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$initiatedBy$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$initiatedBy$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_service_principal_authentication.yml b/detections/cloud/azure_ad_service_principal_authentication.yml index 1dcf0a0a6e..525fd071cb 100644 --- a/detections/cloud/azure_ad_service_principal_authentication.yml +++ b/detections/cloud/azure_ad_service_principal_authentication.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1078/004/ - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins#service-principal-sign-ins drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_service_principal_created.yml b/detections/cloud/azure_ad_service_principal_created.yml index f3c19a392e..00c27e728c 100644 --- a/detections/cloud/azure_ad_service_principal_created.yml +++ b/detections/cloud/azure_ad_service_principal_created.yml @@ -18,12 +18,12 @@ references: - https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html - https://attack.mitre.org/techniques/T1136/003/ drilldown_searches: -- name: View the detection results for $displayName$ - search: '%original_detection_search% | search displayName = $displayName$' +- name: View the detection results for - "$displayName$" + search: '%original_detection_search% | search displayName = "$displayName$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $displayName$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($displayName$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$displayName$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$displayName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml index 8042250ccd..dbcc94eb53 100644 --- a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml +++ b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml @@ -19,12 +19,12 @@ references: - https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft - https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-3/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_service_principal_owner_added.yml b/detections/cloud/azure_ad_service_principal_owner_added.yml index 870856a2ec..ebe9073415 100644 --- a/detections/cloud/azure_ad_service_principal_owner_added.yml +++ b/detections/cloud/azure_ad_service_principal_owner_added.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator may legitimately add new owners for Service references: - https://attack.mitre.org/techniques/T1098/ drilldown_searches: -- name: View the detection results for $displayName$ - search: '%original_detection_search% | search displayName = $displayName$' +- name: View the detection results for - "$displayName$" + search: '%original_detection_search% | search displayName = "$displayName$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $displayName$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($displayName$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$displayName$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$displayName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml index e0094cb86b..68c04f310c 100644 --- a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml +++ b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml @@ -16,12 +16,12 @@ references: - https://attack.mitre.org/techniques/T1110.001 - https://attack.mitre.org/techniques/T1110.003 drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_successful_powershell_authentication.yml b/detections/cloud/azure_ad_successful_powershell_authentication.yml index a663943e3f..08479340be 100644 --- a/detections/cloud/azure_ad_successful_powershell_authentication.yml +++ b/detections/cloud/azure_ad_successful_powershell_authentication.yml @@ -17,12 +17,12 @@ references: - https://securitycafe.ro/2022/04/29/pentesting-azure-recon-techniques/ - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_successful_single_factor_authentication.yml b/detections/cloud/azure_ad_successful_single_factor_authentication.yml index c5ac8545c5..1c582dd9e2 100644 --- a/detections/cloud/azure_ad_successful_single_factor_authentication.yml +++ b/detections/cloud/azure_ad_successful_single_factor_authentication.yml @@ -16,12 +16,12 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks* - https://www.forbes.com/sites/daveywinder/2020/07/08/new-dark-web-audit-reveals-15-billion-stolen-logins-from-100000-breaches-passwords-hackers-cybercrime/?sh=69927b2a180f drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml b/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml index 95ad457e8c..b1fb8df1a2 100644 --- a/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml +++ b/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml @@ -18,12 +18,12 @@ references: - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal - https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml index 120d88c273..bbcfbd47b4 100644 --- a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml @@ -17,12 +17,12 @@ references: - https://www.cisa.gov/uscert/ncas/alerts/aa21-008a - https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes drilldown_searches: -- name: View the detection results for $userPrincipalName$ - search: '%original_detection_search% | search userPrincipalName = $userPrincipalName$' +- name: View the detection results for - "$userPrincipalName$" + search: '%original_detection_search% | search userPrincipalName = "$userPrincipalName$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $userPrincipalName$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($userPrincipalName$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$userPrincipalName$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$userPrincipalName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml b/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml index 031c3d04c7..126bfeabc6 100644 --- a/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml +++ b/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml @@ -19,12 +19,12 @@ references: - https://www.alteredsecurity.com/post/introduction-to-365-stealer - https://github.com/AlteredSecurity/365-Stealer drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml b/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml index 8dc3a0034b..2588633b87 100644 --- a/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml +++ b/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml @@ -19,12 +19,12 @@ references: - https://www.alteredsecurity.com/post/introduction-to-365-stealer - https://github.com/AlteredSecurity/365-Stealer drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml index ff4983f838..96eebea8e4 100644 --- a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml +++ b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml @@ -16,12 +16,12 @@ known_false_positives: While not common, Administrators may enable accounts and references: - https://attack.mitre.org/techniques/T1098/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml index e49be3e237..e1ed90fbe5 100644 --- a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml +++ b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml @@ -19,12 +19,12 @@ references: - https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors - https://attack.mitre.org/techniques/T1098/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_automation_account_created.yml b/detections/cloud/azure_automation_account_created.yml index 5f33dbbd3a..067f10815d 100644 --- a/detections/cloud/azure_automation_account_created.yml +++ b/detections/cloud/azure_automation_account_created.yml @@ -20,12 +20,12 @@ references: - https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/ - https://attack.mitre.org/techniques/T1136/003/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_automation_runbook_created.yml b/detections/cloud/azure_automation_runbook_created.yml index 5c463bb6b4..9439a062c0 100644 --- a/detections/cloud/azure_automation_runbook_created.yml +++ b/detections/cloud/azure_automation_runbook_created.yml @@ -20,12 +20,12 @@ references: - https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/ - https://attack.mitre.org/techniques/T1136/003/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/azure_runbook_webhook_created.yml b/detections/cloud/azure_runbook_webhook_created.yml index 8b46b67aaf..bbc6b93cb8 100644 --- a/detections/cloud/azure_runbook_webhook_created.yml +++ b/detections/cloud/azure_runbook_webhook_created.yml @@ -20,12 +20,12 @@ references: - https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/ - https://attack.mitre.org/techniques/T1078/004/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/circle_ci_disable_security_job.yml b/detections/cloud/circle_ci_disable_security_job.yml index 669885407a..391ff4983d 100644 --- a/detections/cloud/circle_ci_disable_security_job.yml +++ b/detections/cloud/circle_ci_disable_security_job.yml @@ -13,12 +13,12 @@ how_to_implement: You must index CircleCI logs. known_false_positives: unknown references: [] drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/circle_ci_disable_security_step.yml b/detections/cloud/circle_ci_disable_security_step.yml index 409f091810..aeb0ac9fd1 100644 --- a/detections/cloud/circle_ci_disable_security_step.yml +++ b/detections/cloud/circle_ci_disable_security_step.yml @@ -5,18 +5,10 @@ date: '2024-10-17' author: Patrick Bareiss, Splunk status: experimental type: Anomaly -description: |- - The following analytic detects the disablement of security steps in a CircleCI pipeline. It leverages CircleCI logs, using field renaming, joining, and statistical analysis to identify instances where mandatory security steps are not executed. This activity is significant because disabling security steps can introduce vulnerabilities, unauthorized changes, or malicious code into the pipeline. If confirmed malicious, this could lead to potential attacks, data breaches, or compromised infrastructure. Investigate by reviewing job names, commit details, and user information associated with the disablement, and examine any relevant artifacts and concurrent processes. +description: The following analytic detects the disablement of security steps in a CircleCI pipeline. It leverages CircleCI logs, using field renaming, joining, and statistical analysis to identify instances where mandatory security steps are not executed. This activity is significant because disabling security steps can introduce vulnerabilities, unauthorized changes, or malicious code into the pipeline. If confirmed malicious, this could lead to potential attacks, data breaches, or compromised infrastructure. Investigate by reviewing job names, commit details, and user information associated with the disablement, and examine any relevant artifacts and concurrent processes. data_source: - CircleCI -search: '`circleci` | rename workflows.job_id AS job_id | join job_id [ | search `circleci` - | stats values(name) as step_names count by job_id job_name ] | stats count by step_names - job_id job_name vcs.committer_name vcs.subject vcs.url owners{} | rename vcs.* as - * , owners{} as user | lookup mandatory_step_for_job job_name OUTPUTNEW step_name - AS mandatory_step | search mandatory_step=* | eval mandatory_step_executed=if(like(step_names, - "%".mandatory_step."%"), 1, 0) | where mandatory_step_executed=0 | rex field=url - "(?[^\/]*\/[^\/]*)$" | eval phase="build" | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `circle_ci_disable_security_step_filter`' +search: '`circleci` | rename workflows.job_id AS job_id | join job_id [ | search `circleci` | stats values(name) as step_names count by job_id job_name ] | stats count by step_names job_id job_name vcs.committer_name vcs.subject vcs.url owners{} | rename vcs.* as * , owners{} as user | lookup mandatory_step_for_job job_name OUTPUTNEW step_name AS mandatory_step | search mandatory_step=* | eval mandatory_step_executed=if(like(step_names, "%".mandatory_step."%"), 1, 0) | where mandatory_step_executed=0 | rex field=url "(?[^\/]*\/[^\/]*)$" | eval phase="build" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_step_filter`' how_to_implement: You must index CircleCI logs. known_false_positives: unknown references: [] @@ -45,7 +37,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1554/circle_ci_disable_security_step/circle_ci_disable_security_step.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1554/circle_ci_disable_security_step/circle_ci_disable_security_step.json sourcetype: circleci source: circleci diff --git a/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml b/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml index 24dc5eebab..b7e7408bbe 100644 --- a/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml +++ b/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml @@ -5,27 +5,11 @@ date: '2024-10-17' author: David Dorsey, Splunk status: experimental type: Anomaly -description: |- - The following analytic detects cloud API calls executed by user roles that have not previously run these commands. It leverages the Change data model in Splunk to identify commands executed by users with the user_type of AssumedRole and a status of success. This activity is significant because new commands from different user roles can indicate potential malicious activity or unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized access, data breaches, or other damaging outcomes by exploiting new or unmonitored commands within the cloud environment. -data_source: +description: The following analytic detects cloud API calls executed by user roles that have not previously run these commands. It leverages the Change data model in Splunk to identify commands executed by users with the user_type of AssumedRole and a status of success. This activity is significant because new commands from different user roles can indicate potential malicious activity or unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized access, data breaches, or other damaging outcomes by exploiting new or unmonitored commands within the cloud environment. +data_source: - AWS CloudTrail -search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change - where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, - All_Changes.command All_Changes.object | `drop_dm_object_name("All_Changes")` | - lookup previously_seen_cloud_api_calls_per_user_role user as user, command as command - OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | - where enough_data=1 | eval firstTimeSeenUserApiCall=min(firstTimeSeen) | where isnull(firstTimeSeenUserApiCall) - OR firstTimeSeenUserApiCall > relative_time(now(),"-24h@h") | table firstTime, user, - object, command |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `cloud_api_calls_from_previously_unseen_user_roles_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud - provider. You should run the baseline search `Previously Seen Cloud API Calls Per - User Role - Initial` to build the initial table of user roles, commands, and times. - You must also enable the second baseline search `Previously Seen Cloud API Calls - Per User Role - Update` to keep this table up to date and to age out old data. You - can adjust the time window for this search by updating the `cloud_api_calls_from_previously_unseen_user_roles_activity_window` - macro. You can also provide additional filtering for this search by customizing - the `cloud_api_calls_from_previously_unseen_user_roles_filter` +search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, All_Changes.command All_Changes.object | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_api_calls_per_user_role user as user, command as command OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUserApiCall=min(firstTimeSeen) | where isnull(firstTimeSeenUserApiCall) OR firstTimeSeenUserApiCall > relative_time(now(),"-24h@h") | table firstTime, user, object, command |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `cloud_api_calls_from_previously_unseen_user_roles_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud API Calls Per User Role - Initial` to build the initial table of user roles, commands, and times. You must also enable the second baseline search `Previously Seen Cloud API Calls Per User Role - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `cloud_api_calls_from_previously_unseen_user_roles_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_api_calls_from_previously_unseen_user_roles_filter` known_false_positives: None. references: [] tags: @@ -34,8 +18,7 @@ tags: asset_type: AWS Instance confidence: 60 impact: 60 - message: User $user$ of type AssumedRole attempting to execute new API calls $command$ - that have not been seen before + message: User $user$ of type AssumedRole attempting to execute new API calls $command$ that have not been seen before mitre_attack_id: - T1078 observable: @@ -59,8 +42,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml b/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml index 0636d00695..47503c9cdd 100644 --- a/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml +++ b/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml @@ -5,30 +5,12 @@ date: '2024-10-17' author: Rico Valdez, Splunk status: experimental type: Anomaly -description: The following analytic identifies the creation of cloud compute instances - by users who have not previously created them. It leverages data from the Change - data model, focusing on 'create' actions by users, and cross-references with a baseline - of known user activities. This activity is significant as it may indicate unauthorized - access or misuse of cloud resources by new or compromised accounts. If confirmed - malicious, attackers could deploy unauthorized compute instances, leading to potential - data exfiltration, increased costs, or further exploitation within the cloud environment. -data_source: +description: The following analytic identifies the creation of cloud compute instances by users who have not previously created them. It leverages data from the Change data model, focusing on 'create' actions by users, and cross-references with a baseline of known user activities. This activity is significant as it may indicate unauthorized access or misuse of cloud resources by new or compromised accounts. If confirmed malicious, attackers could deploy unauthorized compute instances, leading to potential data exfiltration, increased costs, or further exploitation within the cloud environment. +data_source: - AWS CloudTrail -search: '| tstats `security_content_summariesonly` count earliest(_time) as firstTime, - latest(_time) as lastTime values(All_Changes.object) as dest from datamodel=Change - where All_Changes.action=created by All_Changes.user All_Changes.vendor_region | - `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_compute_creations_by_user - user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) - as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) - | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h") - | table firstTime, user, dest, count vendor_region | `security_content_ctime(firstTime)` - | `cloud_compute_instance_created_by_previously_unseen_user_filter`' -how_to_implement: You must be ingesting the appropriate cloud-infrastructure logs - Run the "Previously Seen Cloud Compute Creations By User" support search to create - of baseline of previously seen users. -known_false_positives: It's possible that a user will start to create compute instances - for the first time, for any number of reasons. Verify with the user launching instances - that this is the intended behavior. +search: '| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest from datamodel=Change where All_Changes.action=created by All_Changes.user All_Changes.vendor_region | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h") | table firstTime, user, dest, count vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_by_previously_unseen_user_filter`' +how_to_implement: You must be ingesting the appropriate cloud-infrastructure logs Run the "Previously Seen Cloud Compute Creations By User" support search to create of baseline of previously seen users. +known_false_positives: It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior. references: [] tags: analytic_story: @@ -64,8 +46,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml b/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml index 94bdf04d49..f82159d345 100644 --- a/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml +++ b/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml @@ -5,33 +5,12 @@ date: '2024-10-17' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects the creation of a cloud compute instance - in a region that has not been previously used within the last hour. It leverages - cloud infrastructure logs and compares the regions of newly created instances against - a lookup file of historically used regions. This activity is significant because - the creation of instances in new regions can indicate unauthorized or suspicious - activity, such as an attacker attempting to evade detection or establish a foothold - in a less monitored area. If confirmed malicious, this could lead to unauthorized - resource usage, data exfiltration, or further compromise of the cloud environment. -data_source: +description: The following analytic detects the creation of a cloud compute instance in a region that has not been previously used within the last hour. It leverages cloud infrastructure logs and compares the regions of newly created instances against a lookup file of historically used regions. This activity is significant because the creation of instances in new regions can indicate unauthorized or suspicious activity, such as an attacker attempting to evade detection or establish a foothold in a less monitored area. If confirmed malicious, this could lead to unauthorized resource usage, data exfiltration, or further compromise of the cloud environment. +data_source: - AWS CloudTrail -search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) - as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region, - All_Changes.user | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_regions - vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data | eventstats - max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) - | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), - "-24h@h") | table firstTime, user, dest, count , vendor_region | `security_content_ctime(firstTime)` - | `cloud_compute_instance_created_in_previously_unused_region_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud - provider. You should run the baseline search `Previously Seen Cloud Regions - Initial` - to build the initial table of images observed and times. You must also enable the - second baseline search `Previously Seen Cloud Regions - Update` to keep this table - up to date and to age out old data. You can also provide additional filtering for - this search by customizing the `cloud_compute_instance_created_in_previously_unused_region_filter` - macro. -known_false_positives: It's possible that a user has unknowingly started an instance - in a new region. Please verify that this activity is legitimate. +search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region, All_Changes.user | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), "-24h@h") | table firstTime, user, dest, count , vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_in_previously_unused_region_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Regions - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Regions - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_in_previously_unused_region_filter` macro. +known_false_positives: It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate. references: [] tags: analytic_story: @@ -39,8 +18,7 @@ tags: asset_type: Cloud Compute Instance confidence: 60 impact: 70 - message: User $user$ is creating an instance $dest$ in a new region for the first - time + message: User $user$ is creating an instance $dest$ in a new region for the first time mitre_attack_id: - T1535 observable: @@ -67,8 +45,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml index 894e960381..89e00c36b8 100644 --- a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml +++ b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml @@ -5,28 +5,12 @@ date: '2024-10-17' author: David Dorsey, Splunk status: experimental type: Anomaly -description: |- - The following analytic detects the creation of cloud compute instances using previously unseen image IDs. It leverages cloud infrastructure logs to identify new image IDs that have not been observed before. This activity is significant because it may indicate unauthorized or suspicious activity, such as the deployment of malicious payloads or unauthorized access to sensitive information. If confirmed malicious, this could lead to data breaches, unauthorized access, or further compromise of the cloud environment. Immediate investigation is required to determine the legitimacy of the instance creation and to mitigate potential threats. -data_source: +description: The following analytic detects the creation of cloud compute instances using previously unseen image IDs. It leverages cloud infrastructure logs to identify new image IDs that have not been observed before. This activity is significant because it may indicate unauthorized or suspicious activity, such as the deployment of malicious payloads or unauthorized access to sensitive information. If confirmed malicious, this could lead to data breaches, unauthorized access, or further compromise of the cloud environment. Immediate investigation is required to determine the legitimacy of the instance creation and to mitigate potential threats. +data_source: - AWS CloudTrail -search: '| tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) - as dest from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id, - All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` - | where image_id != "unknown" | lookup previously_seen_cloud_compute_images image_id - as image_id OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data - | where enough_data=1 | eval firstTimeSeenImage=min(firstTimeSeen) | where isnull(firstTimeSeenImage) - OR firstTimeSeenImage > relative_time(now(), "-24h@h") | table firstTime, user, - image_id, count, dest | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_image_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud - provider. You should run the baseline search `Previously Seen Cloud Compute Images - - Initial` to build the initial table of images observed and times. You must also - enable the second baseline search `Previously Seen Cloud Compute Images - Update` - to keep this table up to date and to age out old data. You can also provide additional - filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_image_filter` - macro. -known_false_positives: After a new image is created, the first systems created with - that image will cause this alert to fire. Verify that the image being used was - created by a legitimate user. +search: '| tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id, All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` | where image_id != "unknown" | lookup previously_seen_cloud_compute_images image_id as image_id OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenImage=min(firstTimeSeen) | where isnull(firstTimeSeenImage) OR firstTimeSeenImage > relative_time(now(), "-24h@h") | table firstTime, user, image_id, count, dest | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_image_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Images - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Images - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_image_filter` macro. +known_false_positives: After a new image is created, the first systems created with that image will cause this alert to fire. Verify that the image being used was created by a legitimate user. references: [] tags: analytic_story: @@ -34,8 +18,7 @@ tags: asset_type: Cloud Compute Instance confidence: 60 impact: 60 - message: User $user$ is creating an instance $dest$ with an image that has not been - previously seen. + message: User $user$ is creating an instance $dest$ with an image that has not been previously seen. observable: - name: user type: User @@ -60,8 +43,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml index 6d721d09d0..6f8e8887c2 100644 --- a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml +++ b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml @@ -5,35 +5,12 @@ date: '2024-10-17' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects the creation of EC2 instances with previously - unseen instance types. It leverages Splunk's tstats command to analyze data from - the Change data model, identifying instance types that have not been previously - recorded. This activity is significant for a SOC because it may indicate unauthorized - or suspicious activity, such as an attacker attempting to create instances for malicious - purposes. If confirmed malicious, this could lead to unauthorized access, data exfiltration, - system compromise, or service disruption. Immediate investigation is required to - determine the legitimacy of the instance creation. -data_source: +description: The following analytic detects the creation of EC2 instances with previously unseen instance types. It leverages Splunk's tstats command to analyze data from the Change data model, identifying instance types that have not been previously recorded. This activity is significant for a SOC because it may indicate unauthorized or suspicious activity, such as an attacker attempting to create instances for malicious purposes. If confirmed malicious, this could lead to unauthorized access, data exfiltration, system compromise, or service disruption. Immediate investigation is required to determine the legitimacy of the instance creation. +data_source: - AWS CloudTrail -search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) - as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, - All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` - | where instance_type != "unknown" | lookup previously_seen_cloud_compute_instance_types - instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data | eventstats - max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenInstanceType=min(firstTimeSeen) - | where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), - "-24h@h") | table firstTime, user, dest, count, instance_type | `security_content_ctime(firstTime)` - | `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`' -how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud - provider. You should run the baseline search `Previously Seen Cloud Compute Instance - Types - Initial` to build the initial table of instance types observed and times. - You must also enable the second baseline search `Previously Seen Cloud Compute Instance - Types - Update` to keep this table up to date and to age out old data. You can also - provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` - macro. -known_false_positives: It is possible that an admin will create a new system using - a new instance type that has never been used before. Verify with the creator that - they intended to create the system with the new instance type. +search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` | where instance_type != "unknown" | lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenInstanceType=min(firstTimeSeen) | where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), "-24h@h") | table firstTime, user, dest, count, instance_type | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`' +how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro. +known_false_positives: It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type. references: [] tags: analytic_story: @@ -41,8 +18,7 @@ tags: asset_type: Cloud Compute Instance confidence: 60 impact: 50 - message: User $user$ is creating an instance $dest$ with an instance type $instance_type$ - that has not been previously seen. + message: User $user$ is creating an instance $dest$ with an instance type $instance_type$ that has not been previously seen. observable: - name: user type: User @@ -67,8 +43,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml b/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml index 0f96061e1f..960bb0459d 100644 --- a/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml +++ b/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml @@ -5,31 +5,12 @@ date: '2024-10-17' author: Rico Valdez, Splunk status: experimental type: Anomaly -description: The following analytic identifies cloud instances being modified by users - who have not previously modified them. It leverages data from the Change data model, - focusing on successful modifications of EC2 instances. This activity is significant - because it can indicate unauthorized or suspicious changes by potentially compromised - or malicious users. If confirmed malicious, this could lead to unauthorized access, - configuration changes, or potential disruption of cloud services, posing a significant - risk to the organization's cloud infrastructure. -data_source: +description: The following analytic identifies cloud instances being modified by users who have not previously modified them. It leverages data from the Change data model, focusing on successful modifications of EC2 instances. This activity is significant because it can indicate unauthorized or suspicious changes by potentially compromised or malicious users. If confirmed malicious, this could lead to unauthorized access, configuration changes, or potential disruption of cloud services, posing a significant risk to the organization's cloud infrastructure. +data_source: - AWS CloudTrail -search: '| tstats `security_content_summariesonly` count earliest(_time) as firstTime, - latest(_time) as lastTime values(All_Changes.object_id) as object_id values(All_Changes.command) - as command from datamodel=Change where All_Changes.action=modified All_Changes.change_type=EC2 - All_Changes.status=success by All_Changes.user | `drop_dm_object_name("All_Changes")` - | lookup previously_seen_cloud_instance_modifications_by_user user as user OUTPUTNEW - firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where - enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) - OR firstTimeSeenUser > relative_time(now(), "-24h@h") | table firstTime user command - object_id count | `security_content_ctime(firstTime)` | `cloud_instance_modified_by_previously_unseen_user_filter`' -how_to_implement: This search has a dependency on other searches to create and update - a baseline of users observed to be associated with this activity. The search "Previously - Seen Cloud Instance Modifications By User - Update" should be enabled for this detection - to properly work. -known_false_positives: It's possible that a new user will start to modify EC2 instances - when they haven't before for any number of reasons. Verify with the user that is - modifying instances that this is the intended behavior. +search: '| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as object_id values(All_Changes.command) as command from datamodel=Change where All_Changes.action=modified All_Changes.change_type=EC2 All_Changes.status=success by All_Changes.user | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_instance_modifications_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h") | table firstTime user command object_id count | `security_content_ctime(firstTime)` | `cloud_instance_modified_by_previously_unseen_user_filter`' +how_to_implement: This search has a dependency on other searches to create and update a baseline of users observed to be associated with this activity. The search "Previously Seen Cloud Instance Modifications By User - Update" should be enabled for this detection to properly work. +known_false_positives: It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior. references: [] tags: analytic_story: @@ -63,8 +44,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml index 389be48951..13374f7dd0 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml @@ -15,12 +15,12 @@ known_false_positives: 'This is a strictly behavioral search, so we define "fals This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.' references: [] drilldown_searches: -- name: View the detection results for $user$ and $object$ - search: '%original_detection_search% | search user = $user$ object = $object$' +- name: View the detection results for - "$user$" and "$object$" + search: '%original_detection_search% | search user = "$user$" object = "$object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $object$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $object$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml index 1a148db010..35b73ffa52 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml @@ -15,12 +15,12 @@ known_false_positives: 'This is a strictly behavioral search, so we define "fals This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.' references: [] drilldown_searches: -- name: View the detection results for $object$ - search: '%original_detection_search% | search object = $object$' +- name: View the detection results for - "$object$" + search: '%original_detection_search% | search object = "$object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $object$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($object$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml index 99c8ce0d02..d49109dfd1 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml @@ -15,12 +15,12 @@ known_false_positives: 'This is a strictly behavioral search, so we define "fals This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.' references: [] drilldown_searches: -- name: View the detection results for $object_id$ - search: '%original_detection_search% | search object_id = $object_id$' +- name: View the detection results for - "$object_id$" + search: '%original_detection_search% | search object_id = "$object_id$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $object_id$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($object_id$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$object_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml index fc3f0a3a86..f712bd6c58 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml @@ -15,12 +15,12 @@ known_false_positives: 'This is a strictly behavioral search, so we define "fals This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.' references: [] drilldown_searches: -- name: View the detection results for $object$ - search: '%original_detection_search% | search object = $object$' +- name: View the detection results for - "$object$" + search: '%original_detection_search% | search object = "$object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $object$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($object$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/cloud_security_groups_modifications_by_user.yml b/detections/cloud/cloud_security_groups_modifications_by_user.yml index f9efefd70b..c7d6fe6905 100644 --- a/detections/cloud/cloud_security_groups_modifications_by_user.yml +++ b/detections/cloud/cloud_security_groups_modifications_by_user.yml @@ -14,12 +14,12 @@ known_false_positives: It is possible that legitimate user/admin may modify a nu references: - https://attack.mitre.org/techniques/T1578/005/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/detect_aws_console_login_by_new_user.yml b/detections/cloud/detect_aws_console_login_by_new_user.yml index 060ca6ed1c..a96fcb94aa 100644 --- a/detections/cloud/detect_aws_console_login_by_new_user.yml +++ b/detections/cloud/detect_aws_console_login_by_new_user.yml @@ -5,32 +5,12 @@ date: '2024-10-17' author: Rico Valdez, Splunk status: experimental type: Hunting -description: The following analytic detects AWS console login events by new users. - It leverages AWS CloudTrail events and compares them against a lookup file of previously - seen users based on ARN values. This detection is significant because a new user - logging into the AWS console could indicate the creation of new accounts or potential - unauthorized access. If confirmed malicious, this activity could lead to unauthorized - access to AWS resources, data exfiltration, or further exploitation within the cloud - environment. -data_source: +description: The following analytic detects AWS console login events by new users. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen users based on ARN values. This detection is significant because a new user logging into the AWS console could indicate the creation of new accounts or potential unauthorized access. If confirmed malicious, this activity could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the cloud environment. +data_source: - AWS CloudTrail -search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication - where Authentication.signature=ConsoleLogin by Authentication.user | `drop_dm_object_name(Authentication)` - | join user type=outer [ | inputlookup previously_seen_users_console_logins | stats - min(firstTime) as earliestseen by user] | eval userStatus=if(earliestseen >= relative_time(now(), - "-24h@h") OR isnull(earliestseen), "First Time Logging into AWS Console", "Previously - Seen User") | where userStatus="First Time Logging into AWS Console" | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `detect_aws_console_login_by_new_user_filter`' -how_to_implement: You must install and configure the Splunk Add-on for AWS (version - 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates - to the Authentication data model for cloud use cases. Run the `Previously Seen Users - in CloudTrail - Initial` support search only once to create a baseline of previously - seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - - Update` hourly (or more frequently depending on how often you run the detection - searches) to refresh the baselines. -known_false_positives: When a legitimate new user logins for the first time, this - activity will be detected. Check how old the account is and verify that the user - activity is legitimate. +search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user | `drop_dm_object_name(Authentication)` | join user type=outer [ | inputlookup previously_seen_users_console_logins | stats min(firstTime) as earliestseen by user] | eval userStatus=if(earliestseen >= relative_time(now(), "-24h@h") OR isnull(earliestseen), "First Time Logging into AWS Console", "Previously Seen User") | where userStatus="First Time Logging into AWS Console" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_console_login_by_new_user_filter`' +how_to_implement: You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. +known_false_positives: When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. references: [] tags: analytic_story: @@ -62,8 +42,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml b/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml index 89a3f581e9..5ed4a0207d 100644 --- a/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml +++ b/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml @@ -5,37 +5,12 @@ date: '2024-10-17' author: Bhavin Patel, Eric McGinnis Splunk status: production type: Hunting -description: The following analytic identifies AWS console login events by users from - a new city within the last hour. It leverages AWS CloudTrail events and compares - them against a lookup file of previously seen user locations. This activity is significant - for a SOC as it may indicate unauthorized access or credential compromise, especially - if the login originates from an unusual location. If confirmed malicious, this could - lead to unauthorized access to AWS resources, data exfiltration, or further exploitation - within the cloud environment. +description: The following analytic identifies AWS console login events by users from a new city within the last hour. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen user locations. This activity is significant for a SOC as it may indicate unauthorized access or credential compromise, especially if the login originates from an unusual location. If confirmed malicious, this could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the cloud environment. data_source: - AWS CloudTrail -search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication - where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src - | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename - City as justSeenCity | table firstTime lastTime user justSeenCity | join user type=outer - [| inputlookup previously_seen_users_console_logins | rename City as previouslySeenCity - | stats min(firstTime) AS earliestseen by user previouslySeenCity | fields earliestseen - user previouslySeenCity] | eval userCity=if(firstTime >= relative_time(now(), "-24h@h"), - "New City","Previously Seen City") | where userCity = "New City" | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCity - justSeenCity userCity | `detect_aws_console_login_by_user_from_new_city_filter`' -how_to_implement: You must install and configure the Splunk Add-on for AWS (version - 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates - to the Authentication data model for cloud use cases. Run the `Previously Seen Users - in AWS CloudTrail - Initial` support search only once to create a baseline of previously - seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - - Update` hourly (or more frequently depending on how often you run the detection - searches) to refresh the baselines. You can also provide additional filtering for - this search by customizing the `detect_aws_console_login_by_user_from_new_city_filter` - macro. -known_false_positives: When a legitimate new user logins for the first time, this - activity will be detected. Check how old the account is and verify that the user - activity is legitimate. +search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename City as justSeenCity | table firstTime lastTime user justSeenCity | join user type=outer [| inputlookup previously_seen_users_console_logins | rename City as previouslySeenCity | stats min(firstTime) AS earliestseen by user previouslySeenCity | fields earliestseen user previouslySeenCity] | eval userCity=if(firstTime >= relative_time(now(), "-24h@h"), "New City","Previously Seen City") | where userCity = "New City" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCity justSeenCity userCity | `detect_aws_console_login_by_user_from_new_city_filter`' +how_to_implement: You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_city_filter` macro. +known_false_positives: When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. references: [] tags: analytic_story: @@ -46,8 +21,7 @@ tags: asset_type: AWS Instance confidence: 60 impact: 30 - message: User $user$ is logging into the AWS console from City $City$ for the first - time + message: User $user$ is logging into the AWS console from City $City$ for the first time mitre_attack_id: - T1586 - T1586.003 @@ -68,13 +42,11 @@ tags: - Authentication.src risk_score: 18 security_domain: threat - manual_test: This search needs the baseline to be run first to create a lookup. - It also requires that the timestamps in the dataset be updated. + manual_test: This search needs the baseline to be run first to create a lookup. It also requires that the timestamps in the dataset be updated. tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml b/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml index 4e5de23a27..8466e0d5ae 100644 --- a/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml +++ b/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml @@ -5,37 +5,12 @@ date: '2024-10-17' author: Bhavin Patel, Eric McGinnis Splunk status: production type: Hunting -description: The following analytic identifies AWS console login events by users from - a new country. It leverages AWS CloudTrail events and compares them against a lookup - file of previously seen users and their login locations. This activity is significant - because logins from new countries can indicate potential unauthorized access or - compromised accounts. If confirmed malicious, this could lead to unauthorized access - to AWS resources, data exfiltration, or further exploitation within the AWS environment. +description: The following analytic identifies AWS console login events by users from a new country. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen users and their login locations. This activity is significant because logins from new countries can indicate potential unauthorized access or compromised accounts. If confirmed malicious, this could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the AWS environment. data_source: - AWS CloudTrail -search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication - where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src - | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename - Country as justSeenCountry | table firstTime lastTime user justSeenCountry | join - user type=outer [| inputlookup previously_seen_users_console_logins | rename Country - as previouslySeenCountry | stats min(firstTime) AS earliestseen by user previouslySeenCountry - | fields earliestseen user previouslySeenCountry] | eval userCountry=if(firstTime - >= relative_time(now(), "-24h@h"), "New Country","Previously Seen Country") | where - userCountry = "New Country" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | table firstTime lastTime user previouslySeenCountry justSeenCountry userCountry - | `detect_aws_console_login_by_user_from_new_country_filter`' -how_to_implement: You must install and configure the Splunk Add-on for AWS (version - 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates - to the Authentication data model for cloud use cases. Run the `Previously Seen Users - in AWS CloudTrail - Initial` support search only once to create a baseline of previously - seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - - Update` hourly (or more frequently depending on how often you run the detection - searches) to refresh the baselines. You can also provide additional filtering for - this search by customizing the `detect_aws_console_login_by_user_from_new_country_filter` - macro. -known_false_positives: When a legitimate new user logins for the first time, this - activity will be detected. Check how old the account is and verify that the user - activity is legitimate. +search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Country as justSeenCountry | table firstTime lastTime user justSeenCountry | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Country as previouslySeenCountry | stats min(firstTime) AS earliestseen by user previouslySeenCountry | fields earliestseen user previouslySeenCountry] | eval userCountry=if(firstTime >= relative_time(now(), "-24h@h"), "New Country","Previously Seen Country") | where userCountry = "New Country" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCountry justSeenCountry userCountry | `detect_aws_console_login_by_user_from_new_country_filter`' +how_to_implement: You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_country_filter` macro. +known_false_positives: When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. references: [] tags: analytic_story: @@ -46,8 +21,7 @@ tags: asset_type: AWS Instance confidence: 60 impact: 70 - message: User $user$ is logging into the AWS console from Country $Country$ for - the first time + message: User $user$ is logging into the AWS console from Country $Country$ for the first time mitre_attack_id: - T1586 - T1586.003 @@ -68,13 +42,11 @@ tags: - Authentication.src risk_score: 42 security_domain: threat - manual_test: This search needs the baseline to be run first to create a lookup. - It also requires that the timestamps in the dataset be updated. + manual_test: This search needs the baseline to be run first to create a lookup. It also requires that the timestamps in the dataset be updated. tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml b/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml index d1a3b23543..4a894e1c9f 100644 --- a/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml +++ b/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml @@ -5,38 +5,12 @@ date: '2024-10-17' author: Bhavin Patel, Eric McGinnis Splunk status: production type: Hunting -description: The following analytic identifies AWS console login attempts by users - from a new region. It leverages AWS CloudTrail events and compares current login - regions against a baseline of previously seen regions for each user. This activity - is significant as it may indicate unauthorized access attempts or compromised credentials. - If confirmed malicious, an attacker could gain unauthorized access to AWS resources, - potentially leading to data breaches, resource manipulation, or further lateral - movement within the cloud environment. +description: The following analytic identifies AWS console login attempts by users from a new region. It leverages AWS CloudTrail events and compares current login regions against a baseline of previously seen regions for each user. This activity is significant as it may indicate unauthorized access attempts or compromised credentials. If confirmed malicious, an attacker could gain unauthorized access to AWS resources, potentially leading to data breaches, resource manipulation, or further lateral movement within the cloud environment. data_source: - AWS CloudTrail -search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication - where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src - | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename - Region as justSeenRegion | table firstTime lastTime user justSeenRegion | join user - type=outer [| inputlookup previously_seen_users_console_logins | rename Region as - previouslySeenRegion | stats min(firstTime) AS earliestseen by user previouslySeenRegion - | fields earliestseen user previouslySeenRegion] | eval userRegion=if(firstTime - >= relative_time(now(), "-24h@h"), "New Region","Previously Seen Region") | where - userRegion= "New Region" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | table firstTime lastTime user previouslySeenRegion justSeenRegion userRegion | - `detect_aws_console_login_by_user_from_new_region_filter`' -how_to_implement: You must install and configure the Splunk Add-on for AWS (version - 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates - to the Authentication data model for cloud use cases. Run the `Previously Seen Users - in AWS CloudTrail - Initial` support search only once to create a baseline of previously - seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - - Update` hourly (or more frequently depending on how often you run the detection - searches) to refresh the baselines. You can also provide additional filtering for - this search by customizing the `detect_aws_console_login_by_user_from_new_region_filter` - macro. -known_false_positives: When a legitimate new user logins for the first time, this - activity will be detected. Check how old the account is and verify that the user - activity is legitimate. +search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Region as justSeenRegion | table firstTime lastTime user justSeenRegion | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Region as previouslySeenRegion | stats min(firstTime) AS earliestseen by user previouslySeenRegion | fields earliestseen user previouslySeenRegion] | eval userRegion=if(firstTime >= relative_time(now(), "-24h@h"), "New Region","Previously Seen Region") | where userRegion= "New Region" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenRegion justSeenRegion userRegion | `detect_aws_console_login_by_user_from_new_region_filter`' +how_to_implement: You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_region_filter` macro. +known_false_positives: When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. references: [] tags: analytic_story: @@ -47,8 +21,7 @@ tags: asset_type: AWS Instance confidence: 60 impact: 60 - message: User $user$ is logging into the AWS console from Region $Region$ for the - first time + message: User $user$ is logging into the AWS console from Region $Region$ for the first time mitre_attack_id: - T1586 - T1586.003 @@ -69,13 +42,11 @@ tags: - Authentication.src risk_score: 36 security_domain: threat - manual_test: This search needs the baseline to be run first to create a lookup. - It also requires that the timestamps in the dataset be updated. + manual_test: This search needs the baseline to be run first to create a lookup. It also requires that the timestamps in the dataset be updated. tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml b/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml index 6c3a364344..4b2339b3b9 100644 --- a/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml +++ b/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml @@ -5,40 +5,11 @@ date: '2024-10-17' author: Shannon Davis, Splunk status: experimental type: Anomaly -description: The following analytic identifies access to GCP Storage buckets from - new or previously unseen remote IP addresses. It leverages GCP Storage bucket-access - logs ingested via Cloud Pub/Sub and compares current access events against a lookup - table of previously seen IP addresses. This activity is significant as it may indicate - unauthorized access or potential reconnaissance by an attacker. If confirmed malicious, - this could lead to data exfiltration, unauthorized data manipulation, or further - compromise of the GCP environment. +description: The following analytic identifies access to GCP Storage buckets from new or previously unseen remote IP addresses. It leverages GCP Storage bucket-access logs ingested via Cloud Pub/Sub and compares current access events against a lookup table of previously seen IP addresses. This activity is significant as it may indicate unauthorized access or potential reconnaissance by an attacker. If confirmed malicious, this could lead to data exfiltration, unauthorized data manipulation, or further compromise of the GCP environment. data_source: [] -search: '`google_gcp_pubsub_message` | multikv | rename sc_status_ as status | rename - cs_object_ as bucket_name | rename c_ip_ as remote_ip | rename cs_uri_ as request_uri - | rename cs_method_ as operation | search status="\"200\"" | stats earliest(_time) - as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri - | table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri | inputlookup - append=t previously_seen_gcp_storage_access_from_remote_ip | stats min(firstTime) - as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri - | outputlookup previously_seen_gcp_storage_access_from_remote_ip | eval newIP=if(firstTime - >= relative_time(now(),"-70m@m"), 1, 0) | where newIP=1 | eval first_time=strftime(firstTime,"%m/%d/%y - %H:%M:%S") | eval last_time=strftime(lastTime,"%m/%d/%y %H:%M:%S") | table first_time - last_time bucket_name remote_ip operation request_uri | `detect_gcp_storage_access_from_a_new_ip_filter`' -how_to_implement: This search relies on the Splunk Add-on for Google Cloud Platform, - setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and - logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). - In order to capture public GCP Storage Bucket access logs, you must also enable - storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These - logs are deposited into the nominated Storage Bucket on an hourly basis and typically - show up by 15 minutes past the hour. It is recommended to configure any saved searches - or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes - past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) - stores the previously seen access requests, and is used by this search to determine - any newly seen IP addresses accessing the Storage Buckets. -known_false_positives: GCP Storage buckets can be accessed from any IP (if the ACLs - are open to allow it), as long as it can make a successful connection. This will - be a false postive, since the search is looking for a new IP within the past two - hours. +search: '`google_gcp_pubsub_message` | multikv | rename sc_status_ as status | rename cs_object_ as bucket_name | rename c_ip_ as remote_ip | rename cs_uri_ as request_uri | rename cs_method_ as operation | search status="\"200\"" | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri | table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri | inputlookup append=t previously_seen_gcp_storage_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri | outputlookup previously_seen_gcp_storage_access_from_remote_ip | eval newIP=if(firstTime >= relative_time(now(),"-70m@m"), 1, 0) | where newIP=1 | eval first_time=strftime(firstTime,"%m/%d/%y %H:%M:%S") | eval last_time=strftime(lastTime,"%m/%d/%y %H:%M:%S") | table first_time last_time bucket_name remote_ip operation request_uri | `detect_gcp_storage_access_from_a_new_ip_filter`' +how_to_implement: This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). In order to capture public GCP Storage Bucket access logs, you must also enable storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These logs are deposited into the nominated Storage Bucket on an hourly basis and typically show up by 15 minutes past the hour. It is recommended to configure any saved searches or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) stores the previously seen access requests, and is used by this search to determine any newly seen IP addresses accessing the Storage Buckets. +known_false_positives: GCP Storage buckets can be accessed from any IP (if the ACLs are open to allow it), as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past two hours. references: [] tags: analytic_story: diff --git a/detections/cloud/detect_new_open_gcp_storage_buckets.yml b/detections/cloud/detect_new_open_gcp_storage_buckets.yml index 6d4ebeeba6..a1c5254caf 100644 --- a/detections/cloud/detect_new_open_gcp_storage_buckets.yml +++ b/detections/cloud/detect_new_open_gcp_storage_buckets.yml @@ -5,30 +5,11 @@ date: '2024-10-17' author: Shannon Davis, Splunk status: experimental type: TTP -description: The following analytic identifies the creation of new open/public GCP - Storage buckets. It leverages GCP PubSub events, specifically monitoring for the - `storage.setIamPermissions` method and checks if the `allUsers` member is added. - This activity is significant because open storage buckets can expose sensitive data - to the public, posing a severe security risk. If confirmed malicious, an attacker - could access, modify, or delete data within the bucket, leading to data breaches - and potential compliance violations. +description: The following analytic identifies the creation of new open/public GCP Storage buckets. It leverages GCP PubSub events, specifically monitoring for the `storage.setIamPermissions` method and checks if the `allUsers` member is added. This activity is significant because open storage buckets can expose sensitive data to the public, posing a severe security risk. If confirmed malicious, an attacker could access, modify, or delete data within the bucket, leading to data breaches and potential compliance violations. data_source: [] -search: '`google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions - | spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action - | spath output=user path=data.protoPayload.authenticationInfo.principalEmail | spath - output=location path=data.protoPayload.resourceLocation.currentLocations{} | spath - output=src path=data.protoPayload.requestMetadata.callerIp | spath output=bucketName - path=data.protoPayload.resourceName | spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role - | spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member - | search (member=allUsers AND action=ADD) | table _time, bucketName, src, user, - location, action, role, member | search `detect_new_open_gcp_storage_buckets_filter`' -how_to_implement: This search relies on the Splunk Add-on for Google Cloud Platform, - setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and - logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). -known_false_positives: While this search has no known false positives, it is possible - that a GCP admin has legitimately created a public bucket for a specific purpose. - That said, GCP strongly advises against granting full control to the "allUsers" - group. +search: '`google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions | spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action | spath output=user path=data.protoPayload.authenticationInfo.principalEmail | spath output=location path=data.protoPayload.resourceLocation.currentLocations{} | spath output=src path=data.protoPayload.requestMetadata.callerIp | spath output=bucketName path=data.protoPayload.resourceName | spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role | spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member | search (member=allUsers AND action=ADD) | table _time, bucketName, src, user, location, action, role, member | search `detect_new_open_gcp_storage_buckets_filter`' +how_to_implement: This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). +known_false_positives: While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the "allUsers" group. references: [] tags: analytic_story: diff --git a/detections/cloud/detect_new_open_s3_buckets.yml b/detections/cloud/detect_new_open_s3_buckets.yml index ac04c87997..4b9ade8b3b 100644 --- a/detections/cloud/detect_new_open_s3_buckets.yml +++ b/detections/cloud/detect_new_open_s3_buckets.yml @@ -13,12 +13,12 @@ how_to_implement: You must install the AWS App for Splunk. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the "All Users" group. references: [] drilldown_searches: -- name: View the detection results for $user_arn$ and $bucketName$ - search: '%original_detection_search% | search user_arn = $user_arn$ bucketName = $bucketName$' +- name: View the detection results for - "$user_arn$" and "$bucketName$" + search: '%original_detection_search% | search user_arn = "$user_arn$" bucketName = "$bucketName$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_arn$ and $bucketName$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_arn$, $bucketName$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_arn$" and "$bucketName$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$", "$bucketName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml b/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml index b164080c17..475d944eea 100644 --- a/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml +++ b/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml @@ -13,12 +13,12 @@ how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to ut known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the "All Users" group. references: [] drilldown_searches: -- name: View the detection results for $userIdentity.userName$ - search: '%original_detection_search% | search userIdentity.userName = $userIdentity.userName$' +- name: View the detection results for - "$userIdentity.userName$" + search: '%original_detection_search% | search userIdentity.userName = "$userIdentity.userName$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $userIdentity.userName$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($userIdentity.userName$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$userIdentity.userName$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$userIdentity.userName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/detect_s3_access_from_a_new_ip.yml b/detections/cloud/detect_s3_access_from_a_new_ip.yml index 21a39bf19f..81938ba49f 100644 --- a/detections/cloud/detect_s3_access_from_a_new_ip.yml +++ b/detections/cloud/detect_s3_access_from_a_new_ip.yml @@ -5,31 +5,11 @@ date: '2024-10-17' author: Bhavin Patel, Splunk status: experimental type: Anomaly -description: The following analytic identifies access to an S3 bucket from a new or - previously unseen remote IP address. It leverages S3 bucket-access logs, specifically - focusing on successful access events (http_status=200). This activity is significant - because access from unfamiliar IP addresses could indicate unauthorized access or - potential data exfiltration attempts. If confirmed malicious, this activity could - lead to unauthorized data access, data theft, or further exploitation of the compromised - S3 bucket, posing a significant risk to sensitive information stored within the - bucket. +description: The following analytic identifies access to an S3 bucket from a new or previously unseen remote IP address. It leverages S3 bucket-access logs, specifically focusing on successful access events (http_status=200). This activity is significant because access from unfamiliar IP addresses could indicate unauthorized access or potential data exfiltration attempts. If confirmed malicious, this activity could lead to unauthorized data access, data theft, or further exploitation of the compromised S3 bucket, posing a significant risk to sensitive information stored within the bucket. data_source: [] -search: '`aws_s3_accesslogs` http_status=200 [search `aws_s3_accesslogs` http_status=200 - | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip - | inputlookup append=t previously_seen_S3_access_from_remote_ip | stats min(firstTime) - as firstTime, max(lastTime) as lastTime by bucket_name remote_ip | outputlookup - previously_seen_S3_access_from_remote_ip| eval newIP=if(firstTime >= relative_time(now(), - "-70m@m"), 1, 0) | where newIP=1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | table bucket_name remote_ip]| iplocation remote_ip |rename remote_ip as src_ip - | table _time bucket_name src_ip City Country operation request_uri | `detect_s3_access_from_a_new_ip_filter`' -how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) - and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access - logs' inputs. This search works best when you run the "Previously Seen S3 Bucket - Access by Remote IP" support search once to create a history of previously seen - remote IPs and bucket names. -known_false_positives: S3 buckets can be accessed from any IP, as long as it can make - a successful connection. This will be a false postive, since the search is looking - for a new IP within the past hour +search: '`aws_s3_accesslogs` http_status=200 [search `aws_s3_accesslogs` http_status=200 | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip | inputlookup append=t previously_seen_S3_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip| eval newIP=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newIP=1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | table bucket_name remote_ip]| iplocation remote_ip |rename remote_ip as src_ip | table _time bucket_name src_ip City Country operation request_uri | `detect_s3_access_from_a_new_ip_filter`' +how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access logs' inputs. This search works best when you run the "Previously Seen S3 Bucket Access by Remote IP" support search once to create a history of previously seen remote IPs and bucket names. +known_false_positives: S3 buckets can be accessed from any IP, as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past hour references: [] tags: analytic_story: diff --git a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml index 70e1f8c296..bccbc3af83 100644 --- a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml +++ b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml @@ -13,12 +13,12 @@ how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or late known_false_positives: None references: [] drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml index 9bcb340cbe..5d7abde51e 100644 --- a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml +++ b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml @@ -5,24 +5,11 @@ date: '2024-10-09' author: Bhavin Patel, Splunk status: experimental type: Anomaly -description: The following analytic identifies a spike in the number of AWS Security - Hub alerts for an AWS IAM User within a 4-hour interval. It leverages AWS Security - Hub findings data, calculating the average and standard deviation of alerts to detect - significant deviations. This activity is significant as a sudden increase in alerts - for a specific user may indicate suspicious behavior or a potential security incident. - If confirmed malicious, this could signify an ongoing attack, unauthorized access, - or misuse of IAM credentials, potentially leading to data breaches or further exploitation. +description: The following analytic identifies a spike in the number of AWS Security Hub alerts for an AWS IAM User within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect significant deviations. This activity is significant as a sudden increase in alerts for a specific user may indicate suspicious behavior or a potential security incident. If confirmed malicious, this could signify an ongoing attack, unauthorized access, or misuse of IAM credentials, potentially leading to data breaches or further exploitation. data_source: - AWS Security Hub -search: '`aws_securityhub_finding` "findings{}.Resources{}.Type"= AwsIamUser | rename - findings{}.Resources{}.Id as user | bucket span=4h _time | stats count AS alerts - by _time user | eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev - | eval threshold_value = 2 | eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev - * threshold_value), 1, 0) | search isOutlier=1 | table _time user alerts |`detect_spike_in_aws_security_hub_alerts_for_user_filter`' -how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) - and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security - Hub inputs. The threshold_value should be tuned to your environment and schedule - these searches according to the bucket span interval. +search: '`aws_securityhub_finding` "findings{}.Resources{}.Type"= AwsIamUser | rename findings{}.Resources{}.Id as user | bucket span=4h _time | stats count AS alerts by _time user | eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev | eval threshold_value = 2 | eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time user alerts |`detect_spike_in_aws_security_hub_alerts_for_user_filter`' +how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval. known_false_positives: None references: [] tags: diff --git a/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml b/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml index e5cecacca7..60daa229eb 100644 --- a/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml +++ b/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml @@ -5,44 +5,11 @@ date: '2024-10-17' author: Bhavin Patel, Splunk status: experimental type: Anomaly -description: The following analytic identifies spikes in blocked outbound network - connections originating from within your AWS environment. It leverages VPC Flow - Logs data from CloudWatch, focusing on blocked actions from internal IP ranges to - external destinations. This detection is significant as it can indicate potential - exfiltration attempts or misconfigurations leading to data leakage. If confirmed - malicious, such activity could allow attackers to bypass network defenses, leading - to unauthorized data transfer or communication with malicious external entities. +description: The following analytic identifies spikes in blocked outbound network connections originating from within your AWS environment. It leverages VPC Flow Logs data from CloudWatch, focusing on blocked actions from internal IP ranges to external destinations. This detection is significant as it can indicate potential exfiltration attempts or misconfigurations leading to data leakage. If confirmed malicious, such activity could allow attackers to bypass network defenses, leading to unauthorized data transfer or communication with malicious external entities. data_source: [] -search: '`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 - OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow` - action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) - ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | - stats count as numberOfBlockedConnections by src_ip | inputlookup baseline_blocked_outbound_connections - append=t | fields - latestCount | stats values(*) as * by src_ip | rename numberOfBlockedConnections - as latestCount | eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720 - | eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720)) - | eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections), - stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections), - numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table src_ip, - latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup - baseline_blocked_outbound_connections | eval dataPointThreshold = 5, deviationThreshold - = 3 | eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections) - AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | table src_ip] - | stats values(dest_ip) as dest_ip, values(interface_id) as "resourceId" count as - numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections by src_ip | `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter`' -how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) - and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow - logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit - your environment. The `dataPointThreshold` variable is the number of data points - required to meet the definition of "spike." The `deviationThreshold` variable is - the number of standard deviations away from the mean that the value must be to be - considered a spike. This search works best when you run the "Baseline of Blocked - Outbound Connection" support search once to create a history of previously seen - blocked outbound connections. -known_false_positives: The false-positive rate may vary based on the values of`dataPointThreshold` - and `deviationThreshold`. Additionally, false positives may result when AWS administrators - roll out policies enforcing network blocks, causing sudden increases in the number - of blocked outbound connections. +search: '`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | stats count as numberOfBlockedConnections by src_ip | inputlookup baseline_blocked_outbound_connections append=t | fields - latestCount | stats values(*) as * by src_ip | rename numberOfBlockedConnections as latestCount | eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720 | eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720)) | eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections), stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | eval dataPointThreshold = 5, deviationThreshold = 3 | eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | table src_ip] | stats values(dest_ip) as dest_ip, values(interface_id) as "resourceId" count as numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections by src_ip | `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter`' +how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the number of data points required to meet the definition of "spike." The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of Blocked Outbound Connection" support search once to create a history of previously seen blocked outbound connections. +known_false_positives: The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections. references: [] tags: analytic_story: diff --git a/detections/cloud/detect_spike_in_s3_bucket_deletion.yml b/detections/cloud/detect_spike_in_s3_bucket_deletion.yml index 79b38395c4..606d5295f5 100644 --- a/detections/cloud/detect_spike_in_s3_bucket_deletion.yml +++ b/detections/cloud/detect_spike_in_s3_bucket_deletion.yml @@ -5,41 +5,12 @@ date: '2024-10-17' author: Bhavin Patel, Splunk status: experimental type: Anomaly -description: The following analytic identifies a spike in API activity related to - the deletion of S3 buckets in your AWS environment. It leverages AWS CloudTrail - logs to detect anomalies by comparing current deletion activity against a historical - baseline. This activity is significant as unusual spikes in S3 bucket deletions - could indicate malicious actions such as data exfiltration or unauthorized data - destruction. If confirmed malicious, this could lead to significant data loss, disruption - of services, and potential exposure of sensitive information. Immediate investigation - is required to determine the legitimacy of the activity. -data_source: +description: The following analytic identifies a spike in API activity related to the deletion of S3 buckets in your AWS environment. It leverages AWS CloudTrail logs to detect anomalies by comparing current deletion activity against a historical baseline. This activity is significant as unusual spikes in S3 bucket deletions could indicate malicious actions such as data exfiltration or unauthorized data destruction. If confirmed malicious, this could lead to significant data loss, disruption of services, and potential exposure of sensitive information. Immediate investigation is required to determine the legitimacy of the activity. +data_source: - AWS CloudTrail -search: '`cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket - | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup - s3_deletion_baseline append=t | fields - latestCount | stats values(*) as * by arn - | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 - | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) - | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, - stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) - | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup - s3_deletion_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval - isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints - > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | - table userIdentity.arn] | spath output=user userIdentity.arn | spath output=bucketName - path=requestParameters.bucketName | stats values(bucketName) as bucketName, count - as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_s3_bucket_deletion_filter`' -how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) - and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail - inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit - your environment. The `dataPointThreshold` variable is the minimum number of data - points required to have a statistically significant amount of data to determine. - The `deviationThreshold` variable is the number of standard deviations away from - the mean that the value must be to be considered a spike. This search works best - when you run the "Baseline of S3 Bucket deletion activity by ARN" support search - once to create a baseline of previously seen S3 bucket-deletion activity. -known_false_positives: Based on the values of`dataPointThreshold` and `deviationThreshold`, - the false positive rate may vary. Please modify this according the your environment. +search: '`cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup s3_deletion_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | spath output=bucketName path=requestParameters.bucketName | stats values(bucketName) as bucketName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_s3_bucket_deletion_filter`' +how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of S3 Bucket deletion activity by ARN" support search once to create a baseline of previously seen S3 bucket-deletion activity. +known_false_positives: Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment. references: [] tags: analytic_story: diff --git a/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml b/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml index ff35de2fb2..ce94457b13 100644 --- a/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml +++ b/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1621/ - https://attack.mitre.org/techniques/T1078/004/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/gcp_detect_gcploit_framework.yml b/detections/cloud/gcp_detect_gcploit_framework.yml index 724b22185f..30946b5976 100644 --- a/detections/cloud/gcp_detect_gcploit_framework.yml +++ b/detections/cloud/gcp_detect_gcploit_framework.yml @@ -5,24 +5,11 @@ date: '2024-10-17' author: Rod Soto, Splunk status: experimental type: TTP -description: The following analytic identifies the use of the GCPloit exploitation - framework within Google Cloud Platform (GCP). It detects specific GCP Pub/Sub messages - with a function timeout of 539 seconds, which is indicative of GCPloit activity. - This detection is significant as GCPloit can be used to escalate privileges and - facilitate lateral movement from compromised high-privilege accounts. If confirmed - malicious, this activity could allow attackers to gain unauthorized access, escalate - their privileges, and move laterally within the GCP environment, potentially compromising - sensitive data and critical resources. +description: The following analytic identifies the use of the GCPloit exploitation framework within Google Cloud Platform (GCP). It detects specific GCP Pub/Sub messages with a function timeout of 539 seconds, which is indicative of GCPloit activity. This detection is significant as GCPloit can be used to escalate privileges and facilitate lateral movement from compromised high-privilege accounts. If confirmed malicious, this activity could allow attackers to gain unauthorized access, escalate their privileges, and move laterally within the GCP environment, potentially compromising sensitive data and critical resources. data_source: [] -search: '`google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s - | table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail - data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location - http_user_agent | `gcp_detect_gcploit_framework_filter`' -how_to_implement: You must install splunk GCP add-on. This search works with gcp:pubsub:message - logs -known_false_positives: Payload.request.function.timeout value can possibly be match - with other functions or requests however the source user and target request account - may indicate an attempt to move laterally accross acounts or projects +search: '`google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s | table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location http_user_agent | `gcp_detect_gcploit_framework_filter`' +how_to_implement: You must install splunk GCP add-on. This search works with gcp:pubsub:message logs +known_false_positives: Payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects references: - https://github.com/dxa4481/gcploit - https://www.youtube.com/watch?v=Ml09R38jpok diff --git a/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml b/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml index 419344a6fa..5109661316 100644 --- a/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml +++ b/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml @@ -5,22 +5,11 @@ date: '2024-10-17' author: Rod Soto, Splunk status: experimental type: Hunting -description: The following analytic identifies unauthenticated requests to Kubernetes - cluster pods. It detects this activity by analyzing GCP Pub/Sub messages for audit - logs where the response status code is 401, indicating unauthorized access attempts. - This activity is significant for a SOC because it may indicate reconnaissance or - scanning attempts by an attacker trying to identify vulnerable pods. If confirmed - malicious, this activity could lead to unauthorized access, allowing the attacker - to exploit vulnerabilities within the cluster, potentially compromising sensitive - data or gaining control over the Kubernetes environment. +description: The following analytic identifies unauthenticated requests to Kubernetes cluster pods. It detects this activity by analyzing GCP Pub/Sub messages for audit logs where the response status code is 401, indicating unauthorized access attempts. This activity is significant for a SOC because it may indicate reconnaissance or scanning attempts by an attacker trying to identify vulnerable pods. If confirmed malicious, this activity could lead to unauthorized access, allowing the attacker to exploit vulnerabilities within the cluster, potentially compromising sensitive data or gaining control over the Kubernetes environment. data_source: [] -search: '`google_gcp_pubsub_message` category=kube-audit |spath input=properties.log - |search responseStatus.code=401 |table sourceIPs{} userAgent verb requestURI responseStatus.reason - properties.pod | `gcp_kubernetes_cluster_pod_scan_detection_filter`' -how_to_implement: You must install the GCP App for Splunk (version 2.0.0 or later), - then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. -known_false_positives: Not all unauthenticated requests are malicious, but frequency, - User Agent, source IPs and pods will provide context. +search: '`google_gcp_pubsub_message` category=kube-audit |spath input=properties.log |search responseStatus.code=401 |table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod | `gcp_kubernetes_cluster_pod_scan_detection_filter`' +how_to_implement: You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. +known_false_positives: Not all unauthenticated requests are malicious, but frequency, User Agent, source IPs and pods will provide context. references: [] tags: analytic_story: diff --git a/detections/cloud/gcp_multi_factor_authentication_disabled.yml b/detections/cloud/gcp_multi_factor_authentication_disabled.yml index 21562dd4d7..1620bdefa7 100644 --- a/detections/cloud/gcp_multi_factor_authentication_disabled.yml +++ b/detections/cloud/gcp_multi_factor_authentication_disabled.yml @@ -16,12 +16,12 @@ references: - https://attack.mitre.org/tactics/TA0005/ - https://attack.mitre.org/techniques/T1556/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml index 99bebccf56..5bc9eec942 100644 --- a/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml @@ -18,12 +18,12 @@ references: - https://attack.mitre.org/techniques/T1621/ - https://attack.mitre.org/techniques/T1078/004/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml index 3540ecc188..63db748127 100644 --- a/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1110/003/ - https://www.blackhillsinfosec.com/wp-content/uploads/2020/05/Breaching-the-Cloud-Perimeter-Slides.pdf drilldown_searches: -- name: View the detection results for $tried_accounts$ - search: '%original_detection_search% | search tried_accounts = $tried_accounts$' +- name: View the detection results for - "$tried_accounts$" + search: '%original_detection_search% | search tried_accounts = "$tried_accounts$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $tried_accounts$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($tried_accounts$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$tried_accounts$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/gcp_successful_single_factor_authentication.yml b/detections/cloud/gcp_successful_single_factor_authentication.yml index 38aa9f3913..a3ad84eaea 100644 --- a/detections/cloud/gcp_successful_single_factor_authentication.yml +++ b/detections/cloud/gcp_successful_single_factor_authentication.yml @@ -16,12 +16,12 @@ references: - https://support.google.com/a/answer/175197?hl=en - https://www.forbes.com/sites/daveywinder/2020/07/08/new-dark-web-audit-reveals-15-billion-stolen-logins-from-100000-breaches-passwords-hackers-cybercrime/?sh=69927b2a180f drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml index 9591c38b3c..f2cbee410e 100644 --- a/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1110/003/ - https://www.blackhillsinfosec.com/wp-content/uploads/2020/05/Breaching-the-Cloud-Perimeter-Slides.pdf drilldown_searches: -- name: View the detection results for $tried_accounts$ - search: '%original_detection_search% | search tried_accounts = $tried_accounts$' +- name: View the detection results for - "$tried_accounts$" + search: '%original_detection_search% | search tried_accounts = "$tried_accounts$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $tried_accounts$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($tried_accounts$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$tried_accounts$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/gdrive_suspicious_file_sharing.yml b/detections/cloud/gdrive_suspicious_file_sharing.yml index 22c1125fce..7474c49123 100644 --- a/detections/cloud/gdrive_suspicious_file_sharing.yml +++ b/detections/cloud/gdrive_suspicious_file_sharing.yml @@ -5,27 +5,11 @@ date: '2024-10-17' author: Rod Soto, Teoderick Contreras status: experimental type: Hunting -description: The following analytic identifies suspicious file-sharing activity on - Google Drive, where internal users share documents with more than 50 external recipients. - It leverages GSuite Drive logs, focusing on changes in user access and filtering - for emails outside the organization's domain. This activity is significant as it - may indicate compromised accounts or intentional data exfiltration. If confirmed - malicious, this behavior could lead to unauthorized access to sensitive information, - data leaks, and potential compliance violations. +description: The following analytic identifies suspicious file-sharing activity on Google Drive, where internal users share documents with more than 50 external recipients. It leverages GSuite Drive logs, focusing on changes in user access and filtering for emails outside the organization's domain. This activity is significant as it may indicate compromised accounts or intentional data exfiltration. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, data leaks, and potential compliance violations. data_source: [] -search: '`gsuite_drive` name=change_user_access | rename parameters.* as * | search - email = "*@yourdomain.com" target_user != "*@yourdomain.com" | stats count values(owner) - as owner values(target_user) as target values(doc_type) as doc_type values(doc_title) - as doc_title dc(target_user) as distinct_target by src_ip email | where distinct_target - > 50 | `gdrive_suspicious_file_sharing_filter`' -how_to_implement: Need to implement Gsuite logging targeting Google suite drive activity. - In order for the search to work for your environment please update `yourdomain.com` - value in the query with the domain relavant for your organization. -known_false_positives: This is an anomaly search, you must specify your domain in - the parameters so it either filters outside domains or focus on internal domains. - This search may also help investigate compromise of accounts. By looking at for - example source ip addresses, document titles and abnormal number of shares and shared - target users. +search: '`gsuite_drive` name=change_user_access | rename parameters.* as * | search email = "*@yourdomain.com" target_user != "*@yourdomain.com" | stats count values(owner) as owner values(target_user) as target values(doc_type) as doc_type values(doc_title) as doc_title dc(target_user) as distinct_target by src_ip email | where distinct_target > 50 | `gdrive_suspicious_file_sharing_filter`' +how_to_implement: Need to implement Gsuite logging targeting Google suite drive activity. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization. +known_false_positives: This is an anomaly search, you must specify your domain in the parameters so it either filters outside domains or focus on internal domains. This search may also help investigate compromise of accounts. By looking at for example source ip addresses, document titles and abnormal number of shares and shared target users. references: - https://www.splunk.com/en_us/blog/security/investigating-gsuite-phishing-attacks-with-splunk.html tags: diff --git a/detections/cloud/github_actions_disable_security_workflow.yml b/detections/cloud/github_actions_disable_security_workflow.yml index 73a1e8401a..8b78e52e92 100644 --- a/detections/cloud/github_actions_disable_security_workflow.yml +++ b/detections/cloud/github_actions_disable_security_workflow.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html drilldown_searches: -- name: View the detection results for $repository$ - search: '%original_detection_search% | search repository = $repository$' +- name: View the detection results for - "$repository$" + search: '%original_detection_search% | search repository = "$repository$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $repository$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($repository$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$repository$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/github_commit_changes_in_master.yml b/detections/cloud/github_commit_changes_in_master.yml index 0d27f7b2c7..0b4dfdad1e 100644 --- a/detections/cloud/github_commit_changes_in_master.yml +++ b/detections/cloud/github_commit_changes_in_master.yml @@ -14,12 +14,12 @@ known_false_positives: Admin can do changes directly to master branch references: - https://www.redhat.com/en/topics/devops/what-is-devsecops drilldown_searches: -- name: View the detection results for $commit.commit.author.email$ - search: '%original_detection_search% | search commit.commit.author.email = $commit.commit.author.email$' +- name: View the detection results for - "$commit.commit.author.email$" + search: '%original_detection_search% | search commit.commit.author.email = "$commit.commit.author.email$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $commit.commit.author.email$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($commit.commit.author.email$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$commit.commit.author.email$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$commit.commit.author.email$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/github_commit_in_develop.yml b/detections/cloud/github_commit_in_develop.yml index c4ef73d225..7e50ba10a1 100644 --- a/detections/cloud/github_commit_in_develop.yml +++ b/detections/cloud/github_commit_in_develop.yml @@ -14,12 +14,12 @@ known_false_positives: admin can do changes directly to develop branch references: - https://www.redhat.com/en/topics/devops/what-is-devsecops drilldown_searches: -- name: View the detection results for $commit.commit.author.email$ - search: '%original_detection_search% | search commit.commit.author.email = $commit.commit.author.email$' +- name: View the detection results for - "$commit.commit.author.email$" + search: '%original_detection_search% | search commit.commit.author.email = "$commit.commit.author.email$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $commit.commit.author.email$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($commit.commit.author.email$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$commit.commit.author.email$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$commit.commit.author.email$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/github_dependabot_alert.yml b/detections/cloud/github_dependabot_alert.yml index d13aa71985..e8e0626850 100644 --- a/detections/cloud/github_dependabot_alert.yml +++ b/detections/cloud/github_dependabot_alert.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html drilldown_searches: -- name: View the detection results for $repository$ - search: '%original_detection_search% | search repository = $repository$' +- name: View the detection results for - "$repository$" + search: '%original_detection_search% | search repository = "$repository$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $repository$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($repository$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$repository$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/github_pull_request_from_unknown_user.yml b/detections/cloud/github_pull_request_from_unknown_user.yml index 0a631bb6d2..fceb64ab77 100644 --- a/detections/cloud/github_pull_request_from_unknown_user.yml +++ b/detections/cloud/github_pull_request_from_unknown_user.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html drilldown_searches: -- name: View the detection results for $repository$ - search: '%original_detection_search% | search repository = $repository$' +- name: View the detection results for - "$repository$" + search: '%original_detection_search% | search repository = "$repository$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $repository$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($repository$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$repository$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/gsuite_drive_share_in_external_email.yml b/detections/cloud/gsuite_drive_share_in_external_email.yml index 6b6b8e5a0e..3e317d4b19 100644 --- a/detections/cloud/gsuite_drive_share_in_external_email.yml +++ b/detections/cloud/gsuite_drive_share_in_external_email.yml @@ -5,31 +5,12 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: experimental type: Anomaly -description: The following analytic detects Google Drive or Google Docs files shared - externally from an internal domain. It leverages GSuite Drive logs, extracting and - comparing the source and destination email domains to identify external sharing. - This activity is significant as it may indicate potential data exfiltration by an - attacker or insider. If confirmed malicious, this could lead to unauthorized access - to sensitive information, data leakage, and potential compliance violations. Monitoring - this behavior helps in early detection and mitigation of data breaches. -data_source: +description: The following analytic detects Google Drive or Google Docs files shared externally from an internal domain. It leverages GSuite Drive logs, extracting and comparing the source and destination email domains to identify external sharing. This activity is significant as it may indicate potential data exfiltration by an attacker or insider. If confirmed malicious, this could lead to unauthorized access to sensitive information, data leakage, and potential compliance violations. Monitoring this behavior helps in early detection and mitigation of data breaches. +data_source: - G Suite Drive -search: '`gsuite_drive` NOT (email IN("", "null")) | rex field=parameters.owner "[^@]+@(?[^@]+)" - | rex field=email "[^@]+@(?[^@]+)" | where src_domain = "internal_test_email.com" - and not dest_domain = "internal_test_email.com" | eval phase="plan" | eval severity="low" - | stats values(parameters.doc_title) as doc_title, values(parameters.doc_type) as - doc_types, values(email) as dst_email_list, values(parameters.visibility) as visibility, - values(parameters.doc_id) as doc_id, count min(_time) as firstTime max(_time) as - lastTime by parameters.owner ip_address phase severity | rename parameters.owner - as user ip_address as src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `gsuite_drive_share_in_external_email_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs related to gsuite having the file attachment metadata like file type, file - extension, source email, destination email, num of attachment and etc. In order - for the search to work for your environment, please edit the query to use your company - specific email domain instead of `internal_test_email.com`. -known_false_positives: network admin or normal user may share files to customer and - external team. +search: '`gsuite_drive` NOT (email IN("", "null")) | rex field=parameters.owner "[^@]+@(?[^@]+)" | rex field=email "[^@]+@(?[^@]+)" | where src_domain = "internal_test_email.com" and not dest_domain = "internal_test_email.com" | eval phase="plan" | eval severity="low" | stats values(parameters.doc_title) as doc_title, values(parameters.doc_type) as doc_types, values(email) as dst_email_list, values(parameters.visibility) as visibility, values(parameters.doc_id) as doc_id, count min(_time) as firstTime max(_time) as lastTime by parameters.owner ip_address phase severity | rename parameters.owner as user ip_address as src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_drive_share_in_external_email_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`. +known_false_positives: network admin or normal user may share files to customer and external team. references: - https://www.redhat.com/en/topics/devops/what-is-devsecops tags: @@ -70,7 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567.002/gsuite_share_drive/gdrive_share_external.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567.002/gsuite_share_drive/gdrive_share_external.log source: http:gsuite sourcetype: gsuite:drive:json diff --git a/detections/cloud/gsuite_email_suspicious_attachment.yml b/detections/cloud/gsuite_email_suspicious_attachment.yml index 7ff5fd37ee..363b494a92 100644 --- a/detections/cloud/gsuite_email_suspicious_attachment.yml +++ b/detections/cloud/gsuite_email_suspicious_attachment.yml @@ -14,12 +14,12 @@ known_false_positives: network admin and normal user may send this file attachme references: - https://www.redhat.com/en/topics/devops/what-is-devsecops drilldown_searches: -- name: View the detection results for $destination{}.address$ - search: '%original_detection_search% | search destination{}.address = $destination{}.address$' +- name: View the detection results for - "$destination{}.address$" + search: '%original_detection_search% | search destination{}.address = "$destination{}.address$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $destination{}.address$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($destination{}.address$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$destination{}.address$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$destination{}.address$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml b/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml index b81bb01297..3576d818d8 100644 --- a/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml +++ b/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml @@ -15,12 +15,12 @@ references: - https://www.redhat.com/en/topics/devops/what-is-devsecops - https://www.mandiant.com/resources/top-words-used-in-spear-phishing-attacks drilldown_searches: -- name: View the detection results for $destination{}.address$ - search: '%original_detection_search% | search destination{}.address = $destination{}.address$' +- name: View the detection results for - "$destination{}.address$" + search: '%original_detection_search% | search destination{}.address = "$destination{}.address$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $destination{}.address$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($destination{}.address$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$destination{}.address$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$destination{}.address$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml b/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml index a899b03e17..c46a891b53 100644 --- a/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml +++ b/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml @@ -14,12 +14,12 @@ known_false_positives: normal email contains this link that are known applicatio references: - https://news.sophos.com/en-us/2021/07/22/malware-increasingly-targets-discord-for-abuse/ drilldown_searches: -- name: View the detection results for $destination{}.address$ - search: '%original_detection_search% | search destination{}.address = $destination{}.address$' +- name: View the detection results for - "$destination{}.address$" + search: '%original_detection_search% | search destination{}.address = "$destination{}.address$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $destination{}.address$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($destination{}.address$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$destination{}.address$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$destination{}.address$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml b/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml index 1c4db1a9e4..18550c4d68 100644 --- a/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml +++ b/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml @@ -5,29 +5,12 @@ date: '2024-10-17' author: Teoderick Contreras, Stanislav Miskovic, Splunk status: production type: Hunting -description: The following analytic detects outbound emails with attachments sent - from an internal email domain to an external domain. It leverages Gsuite Gmail logs, - parsing the source and destination email domains, and flags emails with fewer than - 20 outbound instances. This activity is significant as it may indicate potential - data exfiltration or insider threats. If confirmed malicious, an attacker could - use this method to exfiltrate sensitive information, leading to data breaches and - compliance violations. +description: The following analytic detects outbound emails with attachments sent from an internal email domain to an external domain. It leverages Gsuite Gmail logs, parsing the source and destination email domains, and flags emails with fewer than 20 outbound instances. This activity is significant as it may indicate potential data exfiltration or insider threats. If confirmed malicious, an attacker could use this method to exfiltrate sensitive information, leading to data breaches and compliance violations. data_source: - G Suite Gmail -search: '`gsuite_gmail` num_message_attachments > 0 | rex field=source.from_header_address - "[^@]+@(?[^@]+)" | rex field=destination{}.address "[^@]+@(?[^@]+)" - | where source_domain="internal_test_email.com" and not dest_domain="internal_test_email.com" - | eval phase="plan" | eval severity="low" | stats values(subject) as subject, values(source.from_header_address) - as src_domain_list, count as numEvents, dc(source.from_header_address) as numSrcAddresses, - min(_time) as firstTime max(_time) as lastTime by dest_domain phase severity | where - numSrcAddresses < 20 |sort - numSrcAddresses | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `gsuite_outbound_email_with_attachment_to_external_domain_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs related to gsuite having the file attachment metadata like file type, file - extension, source email, destination email, num of attachment and etc. -known_false_positives: network admin and normal user may send this file attachment - as part of their day to day work. having a good protocol in attaching this file - type to an e-mail may reduce the risk of having a spear phishing attack. +search: '`gsuite_gmail` num_message_attachments > 0 | rex field=source.from_header_address "[^@]+@(?[^@]+)" | rex field=destination{}.address "[^@]+@(?[^@]+)" | where source_domain="internal_test_email.com" and not dest_domain="internal_test_email.com" | eval phase="plan" | eval severity="low" | stats values(subject) as subject, values(source.from_header_address) as src_domain_list, count as numEvents, dc(source.from_header_address) as numSrcAddresses, min(_time) as firstTime max(_time) as lastTime by dest_domain phase severity | where numSrcAddresses < 20 |sort - numSrcAddresses | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_outbound_email_with_attachment_to_external_domain_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. +known_false_positives: network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack. references: - https://www.redhat.com/en/topics/devops/what-is-devsecops tags: @@ -67,7 +50,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_external_domain.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_external_domain.log source: http:gsuite sourcetype: gsuite:gmail:bigquery diff --git a/detections/cloud/gsuite_suspicious_calendar_invite.yml b/detections/cloud/gsuite_suspicious_calendar_invite.yml index e363ae7580..7cdf511a80 100644 --- a/detections/cloud/gsuite_suspicious_calendar_invite.yml +++ b/detections/cloud/gsuite_suspicious_calendar_invite.yml @@ -5,28 +5,11 @@ date: '2024-10-17' author: Rod Soto, Teoderick Contreras status: experimental type: Hunting -description: The following analytic detects suspicious calendar invites sent via GSuite, - potentially indicating compromised accounts or malicious internal activity. It leverages - GSuite calendar logs, focusing on events where a high volume of invites (over 100) - is sent within a 5-minute window. This behavior is significant as it may involve - the distribution of malicious links or attachments, posing a security risk. If confirmed - malicious, this activity could lead to widespread phishing attacks, unauthorized - access, or malware distribution within the organization. +description: The following analytic detects suspicious calendar invites sent via GSuite, potentially indicating compromised accounts or malicious internal activity. It leverages GSuite calendar logs, focusing on events where a high volume of invites (over 100) is sent within a 5-minute window. This behavior is significant as it may involve the distribution of malicious links or attachments, posing a security risk. If confirmed malicious, this activity could lead to widespread phishing attacks, unauthorized access, or malware distribution within the organization. data_source: [] -search: '`gsuite_calendar` |bin span=5m _time |rename parameters.* as * |search target_calendar_id!=null - email="*yourdomain.com"| stats count values(target_calendar_id) values(event_title) - values(event_guest) by email _time | where count >100| `gsuite_suspicious_calendar_invite_filter`' -how_to_implement: In order to successfully implement this search, you need to be ingesting - logs related to gsuite (gsuite:calendar:json) having the file sharing metadata like - file type, source owner, destination target user, description, etc. This search - can also be made more specific by selecting specific emails, subdomains timeframe, - organizational units, targeted user, etc. In order for the search to work for your - environment please update `yourdomain.com` value in the query with the domain relavant - for your organization. -known_false_positives: This search will also produce normal activity statistics. Fields - such as email, ip address, name, parameters.organizer_calendar_id, parameters.target_calendar_id - and parameters.event_title may give away phishing intent.For more specific results - use email parameter. +search: '`gsuite_calendar` |bin span=5m _time |rename parameters.* as * |search target_calendar_id!=null email="*yourdomain.com"| stats count values(target_calendar_id) values(event_title) values(event_guest) by email _time | where count >100| `gsuite_suspicious_calendar_invite_filter`' +how_to_implement: In order to successfully implement this search, you need to be ingesting logs related to gsuite (gsuite:calendar:json) having the file sharing metadata like file type, source owner, destination target user, description, etc. This search can also be made more specific by selecting specific emails, subdomains timeframe, organizational units, targeted user, etc. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization. +known_false_positives: This search will also produce normal activity statistics. Fields such as email, ip address, name, parameters.organizer_calendar_id, parameters.target_calendar_id and parameters.event_title may give away phishing intent.For more specific results use email parameter. references: - https://www.techrepublic.com/article/how-to-avoid-the-dreaded-google-calendar-malicious-invite-issue/ - https://gcn.com/cybersecurity/2012/09/the-20-most-common-words-in-phishing-attacks/280956/ diff --git a/detections/cloud/gsuite_suspicious_shared_file_name.yml b/detections/cloud/gsuite_suspicious_shared_file_name.yml index 8f21951eff..dab42e8b75 100644 --- a/detections/cloud/gsuite_suspicious_shared_file_name.yml +++ b/detections/cloud/gsuite_suspicious_shared_file_name.yml @@ -15,12 +15,12 @@ references: - https://www.redhat.com/en/topics/devops/what-is-devsecops - https://www.mandiant.com/resources/top-words-used-in-spear-phishing-attacks drilldown_searches: -- name: View the detection results for $email$ - search: '%original_detection_search% | search email = $email$' +- name: View the detection results for - "$email$" + search: '%original_detection_search% | search email = "$email$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $email$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($email$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$email$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$email$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/high_number_of_login_failures_from_a_single_source.yml b/detections/cloud/high_number_of_login_failures_from_a_single_source.yml index b831e72d79..60042df478 100644 --- a/detections/cloud/high_number_of_login_failures_from_a_single_source.yml +++ b/detections/cloud/high_number_of_login_failures_from_a_single_source.yml @@ -17,12 +17,12 @@ references: - https://www.cisa.gov/uscert/ncas/alerts/aa21-008a - https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml index d6824848f6..690001002c 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml index c6ea9dc29f..2708207fdf 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml index f200d7bd78..2bea11aa69 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml index 088f80d66b..19d9174b1a 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/kubernetes_access_scanning.yml b/detections/cloud/kubernetes_access_scanning.yml index def4595d14..9a518a2606 100644 --- a/detections/cloud/kubernetes_access_scanning.yml +++ b/detections/cloud/kubernetes_access_scanning.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml b/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml index d5f4a7b0a2..47a0a09794 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml @@ -5,44 +5,12 @@ date: '2024-10-17' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: 'The following analytic identifies anomalous inbound network traffic - volumes from processes within containerized workloads. It leverages Network Performance - Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability - Cloud. The detection compares recent metrics (tcp.bytes, tcp.new_sockets, tcp.packets, - udp.bytes, udp.packets) over the last hour with the average over the past 30 days. - This activity is significant as it may indicate unauthorized data reception, potential - breaches, vulnerability exploitation, or malware propagation. If confirmed malicious, - it could lead to command and control installation, data integrity damage, container - escape, and further environment compromise.' +description: The following analytic identifies anomalous inbound network traffic volumes from processes within containerized workloads. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares recent metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the average over the past 30 days. This activity is significant as it may indicate unauthorized data reception, potential breaches, vulnerability exploitation, or malware propagation. If confirmed malicious, it could lead to command and control installation, data integrity damage, container escape, and further environment compromise. data_source: [] -search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name dest.workload.name dest.process.name span=10s - | eval key=''dest.workload.name'' + ":" + ''dest.process.name'' - | join type=left key - [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by dest.workload.name dest.process.name - | eval key=''dest.workload.name'' + ":" + ''dest.process.name'' - ] - | eval anomalies = "" - | foreach stdev_* - [ eval anomalies =if( ''<>'' > (''avg_<>'' + 3 * ''stdev_<>''), anomalies + "<> higher than average by " + - tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" - + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " - , anomalies) - ] - | fillnull - | eval anomalies = split(replace(anomalies, ",\s$$$$", "") ,", ") - | where anomalies!="" - | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name dest.workload.name dest.process.name - | where count > 5 - | rename k8s.cluster.name as host - | `kubernetes_anomalous_inbound_network_activity_from_process_filter`' -how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and - enable Network Performance Monitoring according to instructions found in Splunk Docs - https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup - In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and - configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. - Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: - - * Name sim_npm_metrics_to_metrics_index +search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name dest.workload.name dest.process.name span=10s | eval key=''dest.workload.name'' + ":" + ''dest.process.name'' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by dest.workload.name dest.process.name | eval key=''dest.workload.name'' + ":" + ''dest.process.name'' ] | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( ''<>'' > (''avg_<>'' + 3 * ''stdev_<>''), anomalies + "<> higher than average by " + tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, ",\s$$$$", "") ,", ") | where anomalies!="" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name dest.workload.name dest.process.name | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_inbound_network_activity_from_process_filter`' +how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: + + * Name sim_npm_metrics_to_metrics_index * Metric Resolution 10000' known_false_positives: unknown @@ -54,8 +22,7 @@ tags: asset_type: Kubernetes confidence: 50 impact: 50 - message: Kubernetes Anomalous Inbound Network Activity from Process in kubernetes - cluster $host$ + message: Kubernetes Anomalous Inbound Network Activity from Process in kubernetes cluster $host$ mitre_attack_id: - T1204 observable: diff --git a/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml b/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml index 627f7f217c..4abba838f5 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml @@ -5,59 +5,26 @@ date: '2024-10-17' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic identifies high inbound or outbound network I/O - anomalies in Kubernetes containers. It leverages process metrics from an OTEL collector - and Kubelet Stats Receiver, along with data from Splunk Observability Cloud. A lookup - table with average and standard deviation values for network I/O is used to detect - anomalies persisting over a 1-hour period. This activity is significant as it may - indicate data exfiltration, command and control communication, or unauthorized data - transfers. If confirmed malicious, it could lead to data breaches, service outages, - financial losses, and reputational damage. +description: The following analytic identifies high inbound or outbound network I/O anomalies in Kubernetes containers. It leverages process metrics from an OTEL collector and Kubelet Stats Receiver, along with data from Splunk Observability Cloud. A lookup table with average and standard deviation values for network I/O is used to detect anomalies persisting over a 1-hour period. This activity is significant as it may indicate data exfiltration, command and control communication, or unauthorized data transfers. If confirmed malicious, it could lead to data breaches, service outages, financial losses, and reputational damage. data_source: [] -search: '| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s - | eval service = replace(''k8s.pod.name'', "-\w{5}$$|-[abcdef0-9]{8,10}-\w{5}$$", "") - | stats avg(eval(if(direction="transmit", io,null()))) as outbound_network_io avg(eval(if(direction="receive", io,null()))) as inbound_network_io by k8s.cluster.name k8s.node.name k8s.pod.name service _time - | eval key = ''k8s.cluster.name'' + ":" + ''service'' - | lookup k8s_container_network_io_baseline key - | eval anomalies = "" - | foreach stdev_* - [ eval anomalies =if( ''<>'' > (''avg_<>'' + 4 * ''stdev_<>''), anomalies + "<> higher than average by " + - tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" - + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " - , anomalies) - ] - | eval anomalies = replace(anomalies, ",\s$$", "") - | where anomalies!="" - | stats count values(anomalies) as anomalies by k8s.cluster.name k8s.node.name k8s.pod.name service - | rename service as k8s.service - | where count > 5 - | rename k8s.node.name as host - | `kubernetes_anomalous_inbound_outbound_network_io_filter`' -how_to_implement: 'To implement this detection, follow these steps: - +search: '| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace(''k8s.pod.name'', "-\w{5}$$|-[abcdef0-9]{8,10}-\w{5}$$", "") | stats avg(eval(if(direction="transmit", io,null()))) as outbound_network_io avg(eval(if(direction="receive", io,null()))) as inbound_network_io by k8s.cluster.name k8s.node.name k8s.pod.name service _time | eval key = ''k8s.cluster.name'' + ":" + ''service'' | lookup k8s_container_network_io_baseline key | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( ''<>'' > (''avg_<>'' + 4 * ''stdev_<>''), anomalies + "<> higher than average by " + tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " , anomalies) ] | eval anomalies = replace(anomalies, ",\s$$", "") | where anomalies!="" | stats count values(anomalies) as anomalies by k8s.cluster.name k8s.node.name k8s.pod.name service | rename service as k8s.service | where count > 5 | rename k8s.node.name as host | `kubernetes_anomalous_inbound_outbound_network_io_filter`' +how_to_implement: 'To implement this detection, follow these steps: + * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. * Enable the hostmetrics/process receiver in the OTEL configuration. - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, - are enabled. + * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - * Configure the SIM add-on with your Observability Cloud Organization ID and Access - Token. + * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - * In the SIM configuration, set the Organization ID to your Observability Cloud - Organization ID. + * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); - data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); - data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); - data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); - data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); - data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') + * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') * Set the Metric Resolution to 10000. @@ -73,8 +40,7 @@ tags: asset_type: Kubernetes confidence: 50 impact: 50 - message: Kubernetes Anomalous Inbound Outbound Network IO from container on host - $host$ + message: Kubernetes Anomalous Inbound Outbound Network IO from container on host $host$ mitre_attack_id: - T1204 observable: diff --git a/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml b/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml index 9d564652ac..27a409f186 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml @@ -5,63 +5,26 @@ date: '2024-10-17' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic identifies significant changes in network communication - behavior within Kubernetes containers by examining the inbound to outbound network - IO ratios. It leverages process metrics from an OTEL collector and Kubelet Stats - Receiver, along with data from Splunk Observability Cloud. Anomalies are detected - using a lookup table containing average and standard deviation values for network - IO, triggering an event if the anomaly persists for over an hour. This activity - is significant as it may indicate data exfiltration, command and control communication, - or compromised container behavior. If confirmed malicious, it could lead to data - breaches, service outages, and unauthorized access within the Kubernetes cluster. +description: The following analytic identifies significant changes in network communication behavior within Kubernetes containers by examining the inbound to outbound network IO ratios. It leverages process metrics from an OTEL collector and Kubelet Stats Receiver, along with data from Splunk Observability Cloud. Anomalies are detected using a lookup table containing average and standard deviation values for network IO, triggering an event if the anomaly persists for over an hour. This activity is significant as it may indicate data exfiltration, command and control communication, or compromised container behavior. If confirmed malicious, it could lead to data breaches, service outages, and unauthorized access within the Kubernetes cluster. data_source: [] -search: '| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s - | eval service = replace(''k8s.pod.name'', "-\w{5}$|-[abcdef0-9]{8,10}-\w{5}$", "") - | eval key = ''k8s.cluster.name'' + ":" + ''service'' - | stats avg(eval(if(direction="transmit", io,null()))) as outbound_network_io avg(eval(if(direction="receive", io,null()))) as inbound_network_io by key service k8s.cluster.name k8s.pod.name k8s.node.name _time - | eval inbound:outbound = inbound_network_io/outbound_network_io - | eval outbound:inbound = outbound_network_io/inbound_network_io - | fields - *network_io - | lookup k8s_container_network_io_ratio_baseline key - | eval anomalies = "" - | foreach stdev_* - [ eval anomalies =if( ''<>'' > (''avg_<>'' + 4 * ''stdev_<>''), anomalies + "<> ratio higher than average by " + - tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" - + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " - , anomalies) - ] - | eval anomalies = replace(anomalies, ",\s$", "") - | where anomalies!="" - | stats count values(anomalies) as anomalies by k8s.cluster.name k8s.node.name k8s.pod.name service - | rename service as k8s.service - | where count > 5 - | rename k8s.node.name as host - | `kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter`' -how_to_implement: 'To implement this detection, follow these steps: - +search: '| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace(''k8s.pod.name'', "-\w{5}$|-[abcdef0-9]{8,10}-\w{5}$", "") | eval key = ''k8s.cluster.name'' + ":" + ''service'' | stats avg(eval(if(direction="transmit", io,null()))) as outbound_network_io avg(eval(if(direction="receive", io,null()))) as inbound_network_io by key service k8s.cluster.name k8s.pod.name k8s.node.name _time | eval inbound:outbound = inbound_network_io/outbound_network_io | eval outbound:inbound = outbound_network_io/inbound_network_io | fields - *network_io | lookup k8s_container_network_io_ratio_baseline key | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( ''<>'' > (''avg_<>'' + 4 * ''stdev_<>''), anomalies + "<> ratio higher than average by " + tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " , anomalies) ] | eval anomalies = replace(anomalies, ",\s$", "") | where anomalies!="" | stats count values(anomalies) as anomalies by k8s.cluster.name k8s.node.name k8s.pod.name service | rename service as k8s.service | where count > 5 | rename k8s.node.name as host | `kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter`' +how_to_implement: 'To implement this detection, follow these steps: + * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. * Enable the hostmetrics/process receiver in the OTEL configuration. - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, - are enabled. + * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - * Configure the SIM add-on with your Observability Cloud Organization ID and Access - Token. + * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - * In the SIM configuration, set the Organization ID to your Observability Cloud - Organization ID. + * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); - data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); - data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); - data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); - data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); - data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') + * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') * Set the Metric Resolution to 10000. @@ -77,8 +40,7 @@ tags: asset_type: Kubernetes confidence: 50 impact: 50 - message: Kubernetes Anomalous Inbound to Outbound Network IO Ratio from Container - on host $host$ + message: Kubernetes Anomalous Inbound to Outbound Network IO Ratio from Container on host $host$ mitre_attack_id: - T1204 observable: diff --git a/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml b/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml index 8a960a801c..73183c00cc 100644 --- a/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml +++ b/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml @@ -5,44 +5,12 @@ date: '2024-10-17' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: 'The following analytic identifies anomalously high outbound network - activity from processes running within containerized workloads in a Kubernetes environment. - It leverages Network Performance Monitoring metrics collected via an OTEL collector - and pulled from Splunk Observability Cloud. The detection compares recent network - metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the - last hour with the average metrics over the past 30 days. This activity is significant - as it may indicate data exfiltration, process modification, or container compromise. - If confirmed malicious, it could lead to unauthorized data exfiltration, communication - with malicious entities, or further attacks within the containerized environment.' +description: The following analytic identifies anomalously high outbound network activity from processes running within containerized workloads in a Kubernetes environment. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares recent network metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the average metrics over the past 30 days. This activity is significant as it may indicate data exfiltration, process modification, or container compromise. If confirmed malicious, it could lead to unauthorized data exfiltration, communication with malicious entities, or further attacks within the containerized environment. data_source: [] -search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name source.process.name span=10s - | eval key=''source.workload.name'' + ":" + ''source.process.name'' - | join type=left key - [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name source.process.name - | eval key=''source.workload.name'' + ":" + ''source.process.name'' - ] - | eval anomalies = "" - | foreach stdev_* - [ eval anomalies =if( ''<>'' > (''avg_<>'' + 3 * ''stdev_<>''), anomalies + "<> higher than average by " + - tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" - + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " - , anomalies) - ] - | fillnull - | eval anomalies = split(replace(anomalies, ",\s$$$$", "") ,", ") - | where anomalies!="" - | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name source.process.name - | where count > 5 - | rename k8s.cluster.name as host - | `kubernetes_anomalous_outbound_network_activity_from_process_filter`' -how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and - enable Network Performance Monitoring according to instructions found in Splunk Docs - https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup - In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and - configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. - Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: - - * Name sim_npm_metrics_to_metrics_index +search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name source.process.name span=10s | eval key=''source.workload.name'' + ":" + ''source.process.name'' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name source.process.name | eval key=''source.workload.name'' + ":" + ''source.process.name'' ] | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( ''<>'' > (''avg_<>'' + 3 * ''stdev_<>''), anomalies + "<> higher than average by " + tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, ",\s$$$$", "") ,", ") | where anomalies!="" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name source.process.name | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_outbound_network_activity_from_process_filter`' +how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: + + * Name sim_npm_metrics_to_metrics_index * Metric Resolution 10000' known_false_positives: unknown @@ -54,8 +22,7 @@ tags: asset_type: Kubernetes confidence: 50 impact: 50 - message: Kubernetes Anomalous Outbound Network Activity from Process in kubernetes - cluster $host$ + message: Kubernetes Anomalous Outbound Network Activity from Process in kubernetes cluster $host$ mitre_attack_id: - T1204 observable: diff --git a/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml b/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml index 1fe622f1da..0e0076f2f3 100644 --- a/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml +++ b/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml @@ -5,45 +5,12 @@ date: '2024-10-17' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: 'The following analytic identifies anomalous network traffic volumes - between Kubernetes workloads or between a workload and external sources. It leverages - Network Performance Monitoring metrics collected via an OTEL collector and pulled - from Splunk Observability Cloud. The detection compares recent network metrics (tcp.bytes, - tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the - average over the past 30 days to identify significant deviations. This activity - is significant as unexpected spikes may indicate unauthorized data transfers or - lateral movement. If confirmed malicious, it could lead to data exfiltration or - compromise of additional services, potentially resulting in data breaches.' +description: The following analytic identifies anomalous network traffic volumes between Kubernetes workloads or between a workload and external sources. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares recent network metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the average over the past 30 days to identify significant deviations. This activity is significant as unexpected spikes may indicate unauthorized data transfers or lateral movement. If confirmed malicious, it could lead to data exfiltration or compromise of additional services, potentially resulting in data breaches. data_source: [] -search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name span=10s - | eval key=''source.workload.name'' + ":" + ''dest.workload.name'' - | join type=left key - [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name - | eval key=''source.workload.name'' + ":" + ''dest.workload.name'' - ] - | eval anomalies = "" - | foreach stdev_* - [ eval anomalies =if( ''<>'' > (''avg_<>'' + 3 * ''stdev_<>''), anomalies + "<> higher than average by " + - tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" - + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " - , anomalies) - ] - | fillnull - | eval anomalies = split(replace(anomalies, ",\s$$$$", "") ,", ") - | where anomalies!="" - | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name dest.workload.name - | rename service as k8s.service - | where count > 5 - | rename k8s.cluster.name as host - | `kubernetes_anomalous_traffic_on_network_edge_filter`' -how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and - enable Network Performance Monitoring according to instructions found in Splunk Docs - https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup - In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and - configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. - Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: - - * Name sim_npm_metrics_to_metrics_index +search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name span=10s | eval key=''source.workload.name'' + ":" + ''dest.workload.name'' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval key=''source.workload.name'' + ":" + ''dest.workload.name'' ] | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( ''<>'' > (''avg_<>'' + 3 * ''stdev_<>''), anomalies + "<> higher than average by " + tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, ",\s$$$$", "") ,", ") | where anomalies!="" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name dest.workload.name | rename service as k8s.service | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_traffic_on_network_edge_filter`' +how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: + + * Name sim_npm_metrics_to_metrics_index * Metric Resolution 10000' known_false_positives: unknown diff --git a/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml b/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml index c9cdfc430c..857ba3304f 100644 --- a/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml +++ b/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml @@ -5,29 +5,12 @@ date: '2024-10-17' author: Rod Soto, Patrick Bareiss, Splunk status: experimental type: Anomaly -description: 'The following analytic detects anonymous and unauthenticated requests - to a Kubernetes cluster. It identifies this behavior by monitoring API calls from - users who have not provided any token or password in their request, using data from - `kube_audit` logs. This activity is significant for a SOC as it indicates a severe - misconfiguration, allowing unfettered access to the cluster with no traceability. - If confirmed malicious, an attacker could gain access to sensitive data or control - over the cluster, posing a substantial security risk.' +description: The following analytic detects anonymous and unauthenticated requests to a Kubernetes cluster. It identifies this behavior by monitoring API calls from users who have not provided any token or password in their request, using data from `kube_audit` logs. This activity is significant for a SOC as it indicates a severe misconfiguration, allowing unfettered access to the cluster with no traceability. If confirmed malicious, an attacker could gain access to sensitive data or control over the cluster, posing a substantial security risk. data_source: - Kubernetes Audit -search: '`kube_audit` user.username="system:anonymous" user.groups{} IN ("system:unauthenticated") - | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource - requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} - user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username - as user |`kubernetes_aws_detect_suspicious_kubectl_calls_filter`' -how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. - Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. - Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. - Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. - When you want to use this detection with AWS EKS, you need to enable EKS control plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. Then - you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. -known_false_positives: Kubectl calls are not malicious by nature. However source IP, - verb and Object can reveal potential malicious activity, specially anonymous suspicious - IPs and sensitive objects such as configmaps or secrets +search: '`kube_audit` user.username="system:anonymous" user.groups{} IN ("system:unauthenticated") | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user |`kubernetes_aws_detect_suspicious_kubectl_calls_filter`' +how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. When you want to use this detection with AWS EKS, you need to enable EKS control plane logging https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html. Then you can collect the logs from Cloudwatch using the AWS TA https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/. +known_false_positives: Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets references: [] tags: analytic_story: diff --git a/detections/cloud/kubernetes_create_or_update_privileged_pod.yml b/detections/cloud/kubernetes_create_or_update_privileged_pod.yml index c9a140a01c..5ce9e74632 100644 --- a/detections/cloud/kubernetes_create_or_update_privileged_pod.yml +++ b/detections/cloud/kubernetes_create_or_update_privileged_pod.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/kubernetes_cron_job_creation.yml b/detections/cloud/kubernetes_cron_job_creation.yml index c6c0057924..178ab06275 100644 --- a/detections/cloud/kubernetes_cron_job_creation.yml +++ b/detections/cloud/kubernetes_cron_job_creation.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/kubernetes_daemonset_deployed.yml b/detections/cloud/kubernetes_daemonset_deployed.yml index b60d8ee09b..4e9384e1b1 100644 --- a/detections/cloud/kubernetes_daemonset_deployed.yml +++ b/detections/cloud/kubernetes_daemonset_deployed.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/kubernetes_falco_shell_spawned.yml b/detections/cloud/kubernetes_falco_shell_spawned.yml index 5aa0461362..6f1f7714bc 100644 --- a/detections/cloud/kubernetes_falco_shell_spawned.yml +++ b/detections/cloud/kubernetes_falco_shell_spawned.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/kubernetes_newly_seen_tcp_edge.yml b/detections/cloud/kubernetes_newly_seen_tcp_edge.yml index f662cdd83e..13fce7809a 100644 --- a/detections/cloud/kubernetes_newly_seen_tcp_edge.yml +++ b/detections/cloud/kubernetes_newly_seen_tcp_edge.yml @@ -5,34 +5,12 @@ date: '2024-10-17' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: 'The following analytic identifies newly seen TCP communication between - source and destination workload pairs within a Kubernetes cluster. It leverages - Network Performance Monitoring metrics collected via an OTEL collector and pulled - from Splunk Observability Cloud. The detection compares network activity over the - last hour with the past 30 days to spot new inter-workload communications. This - is significant as new connections can indicate changes in application behavior or - potential security threats. If malicious, unauthorized connections could lead to - data breaches, privilege escalation, lateral movement, or disruption of critical - services, compromising the application''s integrity, availability, and confidentiality.' +description: The following analytic identifies newly seen TCP communication between source and destination workload pairs within a Kubernetes cluster. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares network activity over the last hour with the past 30 days to spot new inter-workload communications. This is significant as new connections can indicate changes in application behavior or potential security threats. If malicious, unauthorized connections could lead to data breaches, privilege escalation, lateral movement, or disruption of critical services, compromising the application's integrity, availability, and confidentiality. data_source: [] -search: '| mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name - | eval current="True" - | append - [ mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name - | eval current="false" - ] - | eventstats values(current) as current by source.workload.name dest.workload.name - | search current="true" current!="false" - | rename k8s.cluster.name as host - | `kubernetes_newly_seen_tcp_edge_filter`' -how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and - enable Network Performance Monitoring according to instructions found in Splunk Docs - https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup - In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and - configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. - Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: - - * Name sim_npm_metrics_to_metrics_index +search: '| mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current="True" | append [ mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current="false" ] | eventstats values(current) as current by source.workload.name dest.workload.name | search current="true" current!="false" | rename k8s.cluster.name as host | `kubernetes_newly_seen_tcp_edge_filter`' +how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: + + * Name sim_npm_metrics_to_metrics_index * Metric Resolution 10000' known_false_positives: unknown diff --git a/detections/cloud/kubernetes_newly_seen_udp_edge.yml b/detections/cloud/kubernetes_newly_seen_udp_edge.yml index 44a5d06d1a..ca3826ab0f 100644 --- a/detections/cloud/kubernetes_newly_seen_udp_edge.yml +++ b/detections/cloud/kubernetes_newly_seen_udp_edge.yml @@ -5,34 +5,12 @@ date: '2024-10-17' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: 'The following analytic detects UDP communication between a newly seen - source and destination workload pair within a Kubernetes cluster. It leverages Network - Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk - Observability Cloud. This detection compares network activity over the last hour - with the past 30 days to identify new inter-workload communication. Such changes - in network behavior can indicate potential security threats or anomalies. If confirmed - malicious, unauthorized connections may enable attackers to infiltrate the application - ecosystem, leading to data breaches, privilege escalation, lateral movement, or - disruption of critical services.' +description: The following analytic detects UDP communication between a newly seen source and destination workload pair within a Kubernetes cluster. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. This detection compares network activity over the last hour with the past 30 days to identify new inter-workload communication. Such changes in network behavior can indicate potential security threats or anomalies. If confirmed malicious, unauthorized connections may enable attackers to infiltrate the application ecosystem, leading to data breaches, privilege escalation, lateral movement, or disruption of critical services. data_source: [] -search: '| mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name - | eval current="True" - | append - [ mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name - | eval current="false" - ] - | eventstats values(current) as current by source.workload.name dest.workload.name - | search current="true" current!="false" - | rename k8s.cluster.name as host - | `kubernetes_newly_seen_udp_edge_filter`' -how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and - enable Network Performance Monitoring according to instructions found in Splunk Docs - https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup - In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and - configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. - Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: - - * Name sim_npm_metrics_to_metrics_index +search: '| mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current="True" | append [ mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current="false" ] | eventstats values(current) as current by source.workload.name dest.workload.name | search current="true" current!="false" | rename k8s.cluster.name as host | `kubernetes_newly_seen_udp_edge_filter`' +how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: + + * Name sim_npm_metrics_to_metrics_index * Metric Resolution 10000' known_false_positives: unknown diff --git a/detections/cloud/kubernetes_nginx_ingress_lfi.yml b/detections/cloud/kubernetes_nginx_ingress_lfi.yml index 39e3ee028f..52b172d819 100644 --- a/detections/cloud/kubernetes_nginx_ingress_lfi.yml +++ b/detections/cloud/kubernetes_nginx_ingress_lfi.yml @@ -14,12 +14,12 @@ references: - https://github.com/splunk/splunk-connect-for-kubernetes - https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/ drilldown_searches: -- name: View the detection results for $host$ - search: '%original_detection_search% | search host = $host$' +- name: View the detection results for - "$host$" + search: '%original_detection_search% | search host = "$host$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $host$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$host$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/kubernetes_nginx_ingress_rfi.yml b/detections/cloud/kubernetes_nginx_ingress_rfi.yml index c8f10e1b57..4e908f9bcf 100644 --- a/detections/cloud/kubernetes_nginx_ingress_rfi.yml +++ b/detections/cloud/kubernetes_nginx_ingress_rfi.yml @@ -14,12 +14,12 @@ references: - https://github.com/splunk/splunk-connect-for-kubernetes - https://www.invicti.com/blog/web-security/remote-file-inclusion-vulnerability/ drilldown_searches: -- name: View the detection results for $host$ - search: '%original_detection_search% | search host = $host$' +- name: View the detection results for - "$host$" + search: '%original_detection_search% | search host = "$host$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $host$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$host$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/kubernetes_node_port_creation.yml b/detections/cloud/kubernetes_node_port_creation.yml index c44e02399b..c9e3f04320 100644 --- a/detections/cloud/kubernetes_node_port_creation.yml +++ b/detections/cloud/kubernetes_node_port_creation.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/kubernetes_pod_created_in_default_namespace.yml b/detections/cloud/kubernetes_pod_created_in_default_namespace.yml index 9136f8c63a..b494872b13 100644 --- a/detections/cloud/kubernetes_pod_created_in_default_namespace.yml +++ b/detections/cloud/kubernetes_pod_created_in_default_namespace.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/kubernetes_pod_with_host_network_attachment.yml b/detections/cloud/kubernetes_pod_with_host_network_attachment.yml index 4cfe8152e6..925c8e0244 100644 --- a/detections/cloud/kubernetes_pod_with_host_network_attachment.yml +++ b/detections/cloud/kubernetes_pod_with_host_network_attachment.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/kubernetes_previously_unseen_container_image_name.yml b/detections/cloud/kubernetes_previously_unseen_container_image_name.yml index b16a13f619..de747c5918 100644 --- a/detections/cloud/kubernetes_previously_unseen_container_image_name.yml +++ b/detections/cloud/kubernetes_previously_unseen_container_image_name.yml @@ -5,50 +5,26 @@ date: '2024-10-17' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic identifies the creation of containerized workloads - using previously unseen images in a Kubernetes cluster. It leverages process metrics - from an OTEL collector and Kubernetes cluster receiver, pulled from Splunk Observability - Cloud. The detection compares container image names seen in the last hour with those - from the previous 30 days. This activity is significant as unfamiliar container - images may introduce vulnerabilities, malware, or misconfigurations, posing threats - to the cluster's integrity. If confirmed malicious, compromised images can lead - to data breaches, service disruptions, unauthorized access, and potential lateral - movement within the cluster. +description: The following analytic identifies the creation of containerized workloads using previously unseen images in a Kubernetes cluster. It leverages process metrics from an OTEL collector and Kubernetes cluster receiver, pulled from Splunk Observability Cloud. The detection compares container image names seen in the last hour with those from the previous 30 days. This activity is significant as unfamiliar container images may introduce vulnerabilities, malware, or misconfigurations, posing threats to the cluster's integrity. If confirmed malicious, compromised images can lead to data breaches, service disruptions, unauthorized access, and potential lateral movement within the cluster. data_source: [] -search: '| mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` AND earliest=-24h by host.name k8s.cluster.name k8s.node.name container.image.name - | eval current="True" - | append [mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name container.image.name - | eval current="false" - ] - | stats values(current) as current by host.name k8s.cluster.name k8s.node.name container.image.name - | search current="true" AND current!="false" - | rename host.name as host - | `kubernetes_previously_unseen_container_image_name_filter`' -how_to_implement: 'To implement this detection, follow these steps: - +search: '| mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` AND earliest=-24h by host.name k8s.cluster.name k8s.node.name container.image.name | eval current="True" | append [mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name container.image.name | eval current="false" ] | stats values(current) as current by host.name k8s.cluster.name k8s.node.name container.image.name | search current="true" AND current!="false" | rename host.name as host | `kubernetes_previously_unseen_container_image_name_filter`' +how_to_implement: 'To implement this detection, follow these steps: + * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. * Enable the hostmetrics/process receiver in the OTEL configuration. - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, - are enabled. + * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - * Configure the SIM add-on with your Observability Cloud Organization ID and Access - Token. + * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - * In the SIM configuration, set the Organization ID to your Observability Cloud - Organization ID. + * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); - data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); - data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); - data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); - data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); - data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') + * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') * Set the Metric Resolution to 10000. diff --git a/detections/cloud/kubernetes_previously_unseen_process.yml b/detections/cloud/kubernetes_previously_unseen_process.yml index c4231ef84c..e135818a44 100644 --- a/detections/cloud/kubernetes_previously_unseen_process.yml +++ b/detections/cloud/kubernetes_previously_unseen_process.yml @@ -5,49 +5,26 @@ date: '2024-10-17' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic detects previously unseen processes within the - Kubernetes environment on master or worker nodes. It leverages process metrics collected - via an OTEL collector and hostmetrics receiver, and data is pulled from Splunk Observability - Cloud. This detection compares processes observed in the last hour against those - seen in the previous 30 days. Identifying new processes is crucial as they may indicate - unauthorized activity or attempts to compromise the node. If confirmed malicious, - these processes could lead to data exfiltration, privilege escalation, denial-of-service - attacks, or the introduction of malware, posing significant risks to the Kubernetes - cluster. +description: The following analytic detects previously unseen processes within the Kubernetes environment on master or worker nodes. It leverages process metrics collected via an OTEL collector and hostmetrics receiver, and data is pulled from Splunk Observability Cloud. This detection compares processes observed in the last hour against those seen in the previous 30 days. Identifying new processes is crucial as they may indicate unauthorized activity or attempts to compromise the node. If confirmed malicious, these processes could lead to data exfiltration, privilege escalation, denial-of-service attacks, or the introduction of malware, posing significant risks to the Kubernetes cluster. data_source: [] -search: '| mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name - | eval current="True" - | append [mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name - ] - | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.executable.name - | where count=1 and current="True" - | rename host.name as host - | `kubernetes_previously_unseen_process_filter`' -how_to_implement: 'To implement this detection, follow these steps: - +search: '| mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name | eval current="True" | append [mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name ] | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.executable.name | where count=1 and current="True" | rename host.name as host | `kubernetes_previously_unseen_process_filter`' +how_to_implement: 'To implement this detection, follow these steps: + * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. * Enable the hostmetrics/process receiver in the OTEL configuration. - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, - are enabled. + * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - * Configure the SIM add-on with your Observability Cloud Organization ID and Access - Token. + * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - * In the SIM configuration, set the Organization ID to your Observability Cloud - Organization ID. + * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); - data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); - data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); - data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); - data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); - data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') + * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') * Set the Metric Resolution to 10000. diff --git a/detections/cloud/kubernetes_process_running_from_new_path.yml b/detections/cloud/kubernetes_process_running_from_new_path.yml index 3bb23903f5..b38bdbae28 100644 --- a/detections/cloud/kubernetes_process_running_from_new_path.yml +++ b/detections/cloud/kubernetes_process_running_from_new_path.yml @@ -5,50 +5,26 @@ date: '2024-10-17' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic identifies processes running from newly seen paths - within a Kubernetes environment. It leverages process metrics collected via an OTEL - collector and hostmetrics receiver, and data is pulled from Splunk Observability - Cloud using the Splunk Infrastructure Monitoring Add-on. This detection compares - processes observed in the last hour with those seen over the previous 30 days. This - activity is significant as it may indicate unauthorized changes, compromised nodes, - or the introduction of malicious software. If confirmed malicious, it could lead - to unauthorized process execution, control over critical resources, data exfiltration, - privilege escalation, or malware introduction within the Kubernetes cluster. +description: The following analytic identifies processes running from newly seen paths within a Kubernetes environment. It leverages process metrics collected via an OTEL collector and hostmetrics receiver, and data is pulled from Splunk Observability Cloud using the Splunk Infrastructure Monitoring Add-on. This detection compares processes observed in the last hour with those seen over the previous 30 days. This activity is significant as it may indicate unauthorized changes, compromised nodes, or the introduction of malicious software. If confirmed malicious, it could lead to unauthorized process execution, control over critical resources, data exfiltration, privilege escalation, or malware introduction within the Kubernetes cluster. data_source: [] -search: '| mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.pid process.executable.path process.executable.name - | eval current="True" - | append - [ mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name process.pid process.executable.path process.executable.name - ] - | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name process.executable.path - | where count=1 and current="True" - | rename host.name as host - | `kubernetes_process_running_from_new_path_filter`' -how_to_implement: 'To implement this detection, follow these steps: - +search: '| mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.pid process.executable.path process.executable.name | eval current="True" | append [ mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name process.pid process.executable.path process.executable.name ] | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name process.executable.path | where count=1 and current="True" | rename host.name as host | `kubernetes_process_running_from_new_path_filter`' +how_to_implement: 'To implement this detection, follow these steps: + * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. * Enable the hostmetrics/process receiver in the OTEL configuration. - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, - are enabled. + * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - * Configure the SIM add-on with your Observability Cloud Organization ID and Access - Token. + * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - * In the SIM configuration, set the Organization ID to your Observability Cloud - Organization ID. + * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); - data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); - data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); - data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); - data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); - data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') + * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') * Set the Metric Resolution to 10000. diff --git a/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml b/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml index c2e636228f..4c91315a64 100644 --- a/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml +++ b/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml @@ -5,58 +5,26 @@ date: '2024-10-17' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic identifies high resource utilization anomalies - in Kubernetes processes. It leverages process metrics from an OTEL collector and - hostmetrics receiver, fetched via the Splunk Infrastructure Monitoring Add-on. The - detection uses a lookup table with average and standard deviation values to spot - anomalies. This activity is significant as high resource utilization can indicate - security threats like cryptojacking, unauthorized data exfiltration, or compromised - containers. If confirmed malicious, such anomalies can disrupt services, exhaust - resources, increase costs, and allow attackers to evade detection or maintain access. +description: The following analytic identifies high resource utilization anomalies in Kubernetes processes. It leverages process metrics from an OTEL collector and hostmetrics receiver, fetched via the Splunk Infrastructure Monitoring Add-on. The detection uses a lookup table with average and standard deviation values to spot anomalies. This activity is significant as high resource utilization can indicate security threats like cryptojacking, unauthorized data exfiltration, or compromised containers. If confirmed malicious, such anomalies can disrupt services, exhaust resources, increase costs, and allow attackers to evade detection or maintain access. data_source: [] -search: '| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s - | eval key = ''k8s.cluster.name'' + ":" + ''host.name'' + ":" + ''process.executable.name'' - | lookup k8s_process_resource_baseline key - | fillnull - | eval anomalies = "" - | foreach stdev_* - [ eval anomalies =if( ''<>'' > (''avg_<>'' + 4 * ''stdev_<>''), anomalies + "<> higher than average by " + - tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" - + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " - , anomalies) - ] - | eval anomalies = replace(anomalies, ",\s$", "") - | where anomalies!="" - | stats count values(anomalies) as anomalies by host.name k8s.cluster.name k8s.node.name process.executable.name - | sort - count - | where count > 5 - | rename host.name as host - | `kubernetes_process_with_anomalous_resource_utilisation_filter`' -how_to_implement: 'To implement this detection, follow these steps: - +search: '| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s | eval key = ''k8s.cluster.name'' + ":" + ''host.name'' + ":" + ''process.executable.name'' | lookup k8s_process_resource_baseline key | fillnull | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( ''<>'' > (''avg_<>'' + 4 * ''stdev_<>''), anomalies + "<> higher than average by " + tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " , anomalies) ] | eval anomalies = replace(anomalies, ",\s$", "") | where anomalies!="" | stats count values(anomalies) as anomalies by host.name k8s.cluster.name k8s.node.name process.executable.name | sort - count | where count > 5 | rename host.name as host | `kubernetes_process_with_anomalous_resource_utilisation_filter`' +how_to_implement: 'To implement this detection, follow these steps: + * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. * Enable the hostmetrics/process receiver in the OTEL configuration. - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, - are enabled. + * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - * Configure the SIM add-on with your Observability Cloud Organization ID and Access - Token. + * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - * In the SIM configuration, set the Organization ID to your Observability Cloud - Organization ID. + * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); - data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); - data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); - data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); - data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); - data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') + * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') * Set the Metric Resolution to 10000. diff --git a/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml b/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml index fbc8a065ab..a17505403f 100644 --- a/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml +++ b/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml @@ -5,57 +5,26 @@ date: '2024-10-17' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic detects anomalous changes in resource utilization - ratios for processes running on a Kubernetes node. It leverages process metrics - collected via an OTEL collector and hostmetrics receiver, analyzed through Splunk - Observability Cloud. The detection uses a lookup table containing average and standard - deviation values for various resource ratios (e.g., CPU:memory, CPU:disk operations). - Significant deviations from these baselines may indicate compromised processes, - malicious activity, or misconfigurations. If confirmed malicious, this could signify - a security breach, allowing attackers to manipulate workloads, potentially leading - to data exfiltration or service disruption. +description: The following analytic detects anomalous changes in resource utilization ratios for processes running on a Kubernetes node. It leverages process metrics collected via an OTEL collector and hostmetrics receiver, analyzed through Splunk Observability Cloud. The detection uses a lookup table containing average and standard deviation values for various resource ratios (e.g., CPU:memory, CPU:disk operations). Significant deviations from these baselines may indicate compromised processes, malicious activity, or misconfigurations. If confirmed malicious, this could signify a security breach, allowing attackers to manipulate workloads, potentially leading to data exfiltration or service disruption. data_source: [] -search: '| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name - k8s.cluster.name k8s.node.name process.executable.name span=10s | eval cpu:mem = - ''process.cpu.utilization''/''process.memory.utilization'' | eval cpu:disk = ''process.cpu.utilization''/''process.disk.operations'' - | eval mem:disk = ''process.memory.utilization''/''process.disk.operations'' | eval - cpu:threads = ''process.cpu.utilization''/''process.threads'' | eval disk:threads - = ''process.disk.operations''/''process.threads'' | eval key = ''k8s.cluster.name'' - + ":" + ''host.name'' + ":" + ''process.executable.name'' | lookup k8s_process_resource_ratio_baseline - key | fillnull | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( ''<>'' - > (''avg_<>'' + 4 * ''stdev_<>''), anomalies + "<> - ratio higher than average by " + tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' - ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" - + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') - + ", " , anomalies) ] | eval anomalies = replace(anomalies, ",\s$", "") | where - anomalies!="" | stats count values(anomalies) as anomalies by host.name k8s.cluster.name - k8s.node.name process.executable.name | where count > 5 | rename host.name as host - | `kubernetes_process_with_resource_ratio_anomalies_filter`' +search: '| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s | eval cpu:mem = ''process.cpu.utilization''/''process.memory.utilization'' | eval cpu:disk = ''process.cpu.utilization''/''process.disk.operations'' | eval mem:disk = ''process.memory.utilization''/''process.disk.operations'' | eval cpu:threads = ''process.cpu.utilization''/''process.threads'' | eval disk:threads = ''process.disk.operations''/''process.threads'' | eval key = ''k8s.cluster.name'' + ":" + ''host.name'' + ":" + ''process.executable.name'' | lookup k8s_process_resource_ratio_baseline key | fillnull | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( ''<>'' > (''avg_<>'' + 4 * ''stdev_<>''), anomalies + "<> ratio higher than average by " + tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " , anomalies) ] | eval anomalies = replace(anomalies, ",\s$", "") | where anomalies!="" | stats count values(anomalies) as anomalies by host.name k8s.cluster.name k8s.node.name process.executable.name | where count > 5 | rename host.name as host | `kubernetes_process_with_resource_ratio_anomalies_filter`' how_to_implement: 'To implement this detection, follow these steps: * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. * Enable the hostmetrics/process receiver in the OTEL configuration. - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, - are enabled. + * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - * Configure the SIM add-on with your Observability Cloud Organization ID and Access - Token. + * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - * In the SIM configuration, set the Organization ID to your Observability Cloud - Organization ID. + * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); - data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); - data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); - data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); - data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); - data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') + * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') * Set the Metric Resolution to 10000. diff --git a/detections/cloud/kubernetes_scanner_image_pulling.yml b/detections/cloud/kubernetes_scanner_image_pulling.yml index 83f2e1059e..f3f167b7cd 100644 --- a/detections/cloud/kubernetes_scanner_image_pulling.yml +++ b/detections/cloud/kubernetes_scanner_image_pulling.yml @@ -13,12 +13,12 @@ known_false_positives: unknown references: - https://github.com/splunk/splunk-connect-for-kubernetes drilldown_searches: -- name: View the detection results for $host$ - search: '%original_detection_search% | search host = $host$' +- name: View the detection results for - "$host$" + search: '%original_detection_search% | search host = "$host$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $host$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$host$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml b/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml index bd064c5caf..125dc24ea3 100644 --- a/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml +++ b/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/kubernetes_shell_running_on_worker_node.yml b/detections/cloud/kubernetes_shell_running_on_worker_node.yml index 0a79e92315..b3892a118e 100644 --- a/detections/cloud/kubernetes_shell_running_on_worker_node.yml +++ b/detections/cloud/kubernetes_shell_running_on_worker_node.yml @@ -5,47 +5,26 @@ date: '2024-10-17' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic identifies shell activity within the Kubernetes - privilege scope on a worker node. It leverages process metrics from an OTEL collector - hostmetrics receiver, specifically process.cpu.utilization and process.memory.utilization, - pulled from Splunk Observability Cloud. This activity is significant as unauthorized - shell processes can indicate potential security threats, providing attackers an - entry point to compromise the node and the entire Kubernetes cluster. If confirmed - malicious, this activity could lead to data theft, service disruption, privilege - escalation, lateral movement, and further attacks, severely compromising the cluster's - security and integrity. +description: The following analytic identifies shell activity within the Kubernetes privilege scope on a worker node. It leverages process metrics from an OTEL collector hostmetrics receiver, specifically process.cpu.utilization and process.memory.utilization, pulled from Splunk Observability Cloud. This activity is significant as unauthorized shell processes can indicate potential security threats, providing attackers an entry point to compromise the node and the entire Kubernetes cluster. If confirmed malicious, this activity could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks, severely compromising the cluster's security and integrity. data_source: [] -search: '| mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization - where `kubernetes_metrics` AND process.executable.name IN ("sh","bash","csh", "tcsh") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s - | search process.cpu.utilization>0 OR process.memory.utilization>0 - | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name - | rename host.name as host - | `kubernetes_shell_running_on_worker_node_filter`' -how_to_implement: 'To implement this detection, follow these steps: - +search: '| mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization where `kubernetes_metrics` AND process.executable.name IN ("sh","bash","csh", "tcsh") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s | search process.cpu.utilization>0 OR process.memory.utilization>0 | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name | rename host.name as host | `kubernetes_shell_running_on_worker_node_filter`' +how_to_implement: 'To implement this detection, follow these steps: + * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. * Enable the hostmetrics/process receiver in the OTEL configuration. - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, - are enabled. + * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - * Configure the SIM add-on with your Observability Cloud Organization ID and Access - Token. + * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - * In the SIM configuration, set the Organization ID to your Observability Cloud - Organization ID. + * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); - data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); - data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); - data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); - data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); - data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') + * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') * Set the Metric Resolution to 10000. diff --git a/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml b/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml index 39b2dc540c..c99c2d7139 100644 --- a/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml +++ b/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml @@ -5,48 +5,26 @@ date: '2024-10-17' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic identifies shell activity within the Kubernetes - privilege scope on a worker node, specifically when shell processes are consuming - CPU resources. It leverages process metrics from an OTEL collector hostmetrics receiver, - pulled from Splunk Observability Cloud via the Splunk Infrastructure Monitoring - Add-on, focusing on process.cpu.utilization and process.memory.utilization. This - activity is significant as unauthorized shell processes can indicate a security - threat, potentially compromising the node and the entire Kubernetes cluster. If - confirmed malicious, attackers could gain full control over the host's resources, - leading to data theft, service disruption, privilege escalation, and further attacks - within the cluster. +description: The following analytic identifies shell activity within the Kubernetes privilege scope on a worker node, specifically when shell processes are consuming CPU resources. It leverages process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability Cloud via the Splunk Infrastructure Monitoring Add-on, focusing on process.cpu.utilization and process.memory.utilization. This activity is significant as unauthorized shell processes can indicate a security threat, potentially compromising the node and the entire Kubernetes cluster. If confirmed malicious, attackers could gain full control over the host's resources, leading to data theft, service disruption, privilege escalation, and further attacks within the cluster. data_source: [] -search: '| mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization - where `kubernetes_metrics` AND process.executable.name IN ("sh","bash","csh", "tcsh") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s - | search process.cpu.utilization>0 - | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name - | rename host.name as host - | `kubernetes_shell_running_on_worker_node_with_cpu_activity_filter`' -how_to_implement: 'To implement this detection, follow these steps: - +search: '| mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization where `kubernetes_metrics` AND process.executable.name IN ("sh","bash","csh", "tcsh") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s | search process.cpu.utilization>0 | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name | rename host.name as host | `kubernetes_shell_running_on_worker_node_with_cpu_activity_filter`' +how_to_implement: 'To implement this detection, follow these steps: + * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. * Enable the hostmetrics/process receiver in the OTEL configuration. - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, - are enabled. + * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - * Configure the SIM add-on with your Observability Cloud Organization ID and Access - Token. + * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - * In the SIM configuration, set the Organization ID to your Observability Cloud - Organization ID. + * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); - data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); - data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); - data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); - data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); - data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') + * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') * Set the Metric Resolution to 10000. diff --git a/detections/cloud/kubernetes_suspicious_image_pulling.yml b/detections/cloud/kubernetes_suspicious_image_pulling.yml index 87edd1f611..0788cc43cd 100644 --- a/detections/cloud/kubernetes_suspicious_image_pulling.yml +++ b/detections/cloud/kubernetes_suspicious_image_pulling.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/kubernetes_unauthorized_access.yml b/detections/cloud/kubernetes_unauthorized_access.yml index b73d825903..823255c842 100644 --- a/detections/cloud/kubernetes_unauthorized_access.yml +++ b/detections/cloud/kubernetes_unauthorized_access.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_add_app_role_assignment_grant_user.yml b/detections/cloud/o365_add_app_role_assignment_grant_user.yml index d292cf488f..447d408f9c 100644 --- a/detections/cloud/o365_add_app_role_assignment_grant_user.yml +++ b/detections/cloud/o365_add_app_role_assignment_grant_user.yml @@ -15,12 +15,12 @@ references: - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf - https://www.cisa.gov/uscert/ncas/alerts/aa21-008a drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_added_service_principal.yml b/detections/cloud/o365_added_service_principal.yml index 12f16a94a9..75ecee1d77 100644 --- a/detections/cloud/o365_added_service_principal.yml +++ b/detections/cloud/o365_added_service_principal.yml @@ -17,12 +17,12 @@ references: - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html - https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml b/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml index 413f7b24cd..ae7dba3eb8 100644 --- a/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml +++ b/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml @@ -19,12 +19,12 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ - https://winsmarts.com/how-to-grant-admin-consent-to-an-api-programmatically-e32f4a100e9d drilldown_searches: -- name: View the detection results for $dest_user$ - search: '%original_detection_search% | search dest_user = $dest_user$' +- name: View the detection results for - "$dest_user$" + search: '%original_detection_search% | search dest_user = "$dest_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_advanced_audit_disabled.yml b/detections/cloud/o365_advanced_audit_disabled.yml index ec06dbd608..e46058734e 100644 --- a/detections/cloud/o365_advanced_audit_disabled.yml +++ b/detections/cloud/o365_advanced_audit_disabled.yml @@ -16,12 +16,12 @@ references: - https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf - https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_application_available_to_other_tenants.yml b/detections/cloud/o365_application_available_to_other_tenants.yml index ee1d0ecbb6..5eec413e79 100644 --- a/detections/cloud/o365_application_available_to_other_tenants.yml +++ b/detections/cloud/o365_application_available_to_other_tenants.yml @@ -16,12 +16,12 @@ references: - https://msrc.microsoft.com/blog/2023/03/guidance-on-potential-misconfiguration-of-authorization-of-multi-tenant-applications-that-use-azure-ad/ - https://www.wiz.io/blog/azure-active-directory-bing-misconfiguration drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_application_registration_owner_added.yml b/detections/cloud/o365_application_registration_owner_added.yml index 4dcf58811a..a3051338f4 100644 --- a/detections/cloud/o365_application_registration_owner_added.yml +++ b/detections/cloud/o365_application_registration_owner_added.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1098/ - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_applicationimpersonation_role_assigned.yml b/detections/cloud/o365_applicationimpersonation_role_assigned.yml index c26f9edbed..752dae0b2b 100644 --- a/detections/cloud/o365_applicationimpersonation_role_assigned.yml +++ b/detections/cloud/o365_applicationimpersonation_role_assigned.yml @@ -16,12 +16,12 @@ references: - https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 - https://www.mandiant.com/media/17656 drilldown_searches: -- name: View the detection results for $target_user$ and $user$ - search: '%original_detection_search% | search target_user = $target_user$ user = $user$' +- name: View the detection results for - "$target_user$" and "$user$" + search: '%original_detection_search% | search target_user = "$target_user$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $target_user$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($target_user$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$target_user$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$target_user$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml b/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml index fd97f454b4..950904c721 100644 --- a/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml +++ b/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml @@ -17,12 +17,12 @@ references: - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-risk-based-step-up-consent - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml b/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml index 354894e701..a299a27eab 100644 --- a/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml +++ b/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml @@ -16,12 +16,12 @@ references: - https://attack.mitre.org/techniques/T1562/007/ - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings drilldown_searches: -- name: View the detection results for $user_id$ - search: '%original_detection_search% | search user_id = $user_id$' +- name: View the detection results for - "$user_id$" + search: '%original_detection_search% | search user_id = "$user_id$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_id$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_id$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_compliance_content_search_exported.yml b/detections/cloud/o365_compliance_content_search_exported.yml index e5aa9fca24..a574fb11a8 100644 --- a/detections/cloud/o365_compliance_content_search_exported.yml +++ b/detections/cloud/o365_compliance_content_search_exported.yml @@ -16,12 +16,12 @@ references: - https://learn.microsoft.com/en-us/purview/ediscovery-keyword-queries-and-search-conditions - https://learn.microsoft.com/en-us/purview/ediscovery-search-for-activities-in-the-audit-log drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_compliance_content_search_started.yml b/detections/cloud/o365_compliance_content_search_started.yml index 8273aac04c..664bb9390a 100644 --- a/detections/cloud/o365_compliance_content_search_started.yml +++ b/detections/cloud/o365_compliance_content_search_started.yml @@ -16,12 +16,12 @@ references: - https://learn.microsoft.com/en-us/purview/ediscovery-keyword-queries-and-search-conditions - https://learn.microsoft.com/en-us/purview/ediscovery-search-for-activities-in-the-audit-log drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_concurrent_sessions_from_different_ips.yml b/detections/cloud/o365_concurrent_sessions_from_different_ips.yml index bcb544afd1..ed89c8268f 100644 --- a/detections/cloud/o365_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/o365_concurrent_sessions_from_different_ips.yml @@ -16,12 +16,12 @@ references: - https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/ - https://github.com/kgretzky/evilginx2 drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_cross_tenant_access_change.yml b/detections/cloud/o365_cross_tenant_access_change.yml index 3adb3784b3..3cf427f322 100644 --- a/detections/cloud/o365_cross_tenant_access_change.yml +++ b/detections/cloud/o365_cross_tenant_access_change.yml @@ -17,12 +17,12 @@ references: - https://cyberaffairs.com/news/emerging-attacker-exploit-microsoft-cross-tenant-synchronization/ - https://www.crowdstrike.com/blog/crowdstrike-defends-against-azure-cross-tenant-synchronization-attacks/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_disable_mfa.yml b/detections/cloud/o365_disable_mfa.yml index 3edc0ff963..0def1549eb 100644 --- a/detections/cloud/o365_disable_mfa.yml +++ b/detections/cloud/o365_disable_mfa.yml @@ -14,12 +14,12 @@ known_false_positives: Unless it is a special case, it is uncommon to disable MF references: - https://attack.mitre.org/techniques/T1556/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_dlp_rule_triggered.yml b/detections/cloud/o365_dlp_rule_triggered.yml index d9bb37db64..bcb32a9ba3 100644 --- a/detections/cloud/o365_dlp_rule_triggered.yml +++ b/detections/cloud/o365_dlp_rule_triggered.yml @@ -14,12 +14,12 @@ known_false_positives: WIll depending on accuracy of DLP rules, these can be noi references: - https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_elevated_mailbox_permission_assigned.yml b/detections/cloud/o365_elevated_mailbox_permission_assigned.yml index af8b3d7962..acf769c285 100644 --- a/detections/cloud/o365_elevated_mailbox_permission_assigned.yml +++ b/detections/cloud/o365_elevated_mailbox_permission_assigned.yml @@ -15,12 +15,12 @@ references: - https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxpermission - https://learn.microsoft.com/en-us/exchange/recipients/mailbox-permissions?view=exchserver-2019 drilldown_searches: -- name: View the detection results for $dest_user$ - search: '%original_detection_search% | search dest_user = $dest_user$' +- name: View the detection results for - "$dest_user$" + search: '%original_detection_search% | search dest_user = "$dest_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_email_access_by_security_administrator.yml b/detections/cloud/o365_email_access_by_security_administrator.yml index 25a2295864..ef2bfd498a 100644 --- a/detections/cloud/o365_email_access_by_security_administrator.yml +++ b/detections/cloud/o365_email_access_by_security_administrator.yml @@ -14,12 +14,12 @@ known_false_positives: Legitamate access by security administators for incident references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-investigate-delivered-malicious-email?view=o365-worldwide drilldown_searches: -- name: View the detection results for $user$ and $src_user$ - search: '%original_detection_search% | search user = $user$ src_user = $src_user$' +- name: View the detection results for - "$user$" and "$src_user$" + search: '%original_detection_search% | search user = "$user$" src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_email_reported_by_admin_found_malicious.yml b/detections/cloud/o365_email_reported_by_admin_found_malicious.yml index 64b3e4584f..91581c52fe 100644 --- a/detections/cloud/o365_email_reported_by_admin_found_malicious.yml +++ b/detections/cloud/o365_email_reported_by_admin_found_malicious.yml @@ -14,12 +14,12 @@ known_false_positives: Administrators that submit known phishing training exerci references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/submissions-outlook-report-messages?view=o365-worldwide drilldown_searches: -- name: View the detection results for $src_user$ and $user$ - search: '%original_detection_search% | search src_user = $src_user$ user = $user$' +- name: View the detection results for - "$src_user$" and "$user$" + search: '%original_detection_search% | search src_user = "$src_user$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_email_reported_by_user_found_malicious.yml b/detections/cloud/o365_email_reported_by_user_found_malicious.yml index 81469eb1c4..5028496a5a 100644 --- a/detections/cloud/o365_email_reported_by_user_found_malicious.yml +++ b/detections/cloud/o365_email_reported_by_user_found_malicious.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/submissions-outlook-report-messages?view=o365-worldwide drilldown_searches: -- name: View the detection results for $src_user$ and $user$ - search: '%original_detection_search% | search src_user = $src_user$ user = $user$' +- name: View the detection results for - "$src_user$" and "$user$" + search: '%original_detection_search% | search src_user = "$src_user$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_email_security_feature_changed.yml b/detections/cloud/o365_email_security_feature_changed.yml index caaffd559a..ef1b501212 100644 --- a/detections/cloud/o365_email_security_feature_changed.yml +++ b/detections/cloud/o365_email_security_feature_changed.yml @@ -15,12 +15,12 @@ references: - https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_email_suspicious_behavior_alert.yml b/detections/cloud/o365_email_suspicious_behavior_alert.yml index 2de1548353..f6040c0403 100644 --- a/detections/cloud/o365_email_suspicious_behavior_alert.yml +++ b/detections/cloud/o365_email_suspicious_behavior_alert.yml @@ -14,12 +14,12 @@ known_false_positives: Users emailing for legitimate business purposes that appe references: - https://learn.microsoft.com/en-us/purview/alert-policies drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_excessive_authentication_failures_alert.yml b/detections/cloud/o365_excessive_authentication_failures_alert.yml index 0357737f9c..e54e26d134 100644 --- a/detections/cloud/o365_excessive_authentication_failures_alert.yml +++ b/detections/cloud/o365_excessive_authentication_failures_alert.yml @@ -13,12 +13,12 @@ known_false_positives: The threshold for alert is above 10 attempts and this sho references: - https://attack.mitre.org/techniques/T1110/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_excessive_sso_logon_errors.yml b/detections/cloud/o365_excessive_sso_logon_errors.yml index e257d7720e..16596fc2bf 100644 --- a/detections/cloud/o365_excessive_sso_logon_errors.yml +++ b/detections/cloud/o365_excessive_sso_logon_errors.yml @@ -14,12 +14,12 @@ known_false_positives: Logon errors may not be malicious in nature however it ma references: - https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_external_guest_user_invited.yml b/detections/cloud/o365_external_guest_user_invited.yml index 920ec09b6d..bf5f60864d 100644 --- a/detections/cloud/o365_external_guest_user_invited.yml +++ b/detections/cloud/o365_external_guest_user_invited.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1136/003/ - https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal drilldown_searches: -- name: View the detection results for $user$ and $src_user$ - search: '%original_detection_search% | search user = $user$ src_user = $src_user$' +- name: View the detection results for - "$user$" and "$src_user$" + search: '%original_detection_search% | search user = "$user$" src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_external_identity_policy_changed.yml b/detections/cloud/o365_external_identity_policy_changed.yml index 6745586803..068b20814a 100644 --- a/detections/cloud/o365_external_identity_policy_changed.yml +++ b/detections/cloud/o365_external_identity_policy_changed.yml @@ -15,12 +15,12 @@ references: - https://medium.com/tenable-techblog/roles-allowing-to-abuse-entra-id-federation-for-persistence-and-privilege-escalation-df9ca6e58360 - https://learn.microsoft.com/en-us/entra/external-id/external-identities-overview drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml b/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml index ace032c407..a0cd7652b3 100644 --- a/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml +++ b/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml @@ -18,12 +18,12 @@ references: - https://www.alteredsecurity.com/post/introduction-to-365-stealer - https://github.com/AlteredSecurity/365-Stealer drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_fullaccessasapp_permission_assigned.yml b/detections/cloud/o365_fullaccessasapp_permission_assigned.yml index 5b9db4409d..325050edd8 100644 --- a/detections/cloud/o365_fullaccessasapp_permission_assigned.yml +++ b/detections/cloud/o365_fullaccessasapp_permission_assigned.yml @@ -16,12 +16,12 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ - https://attack.mitre.org/techniques/T1098/002/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml b/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml index c6acaade7e..a4a8b48347 100644 --- a/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1110/ - https://attack.mitre.org/techniques/T1110/001/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_high_privilege_role_granted.yml b/detections/cloud/o365_high_privilege_role_granted.yml index ec09354e98..df073ddb0a 100644 --- a/detections/cloud/o365_high_privilege_role_granted.yml +++ b/detections/cloud/o365_high_privilege_role_granted.yml @@ -17,12 +17,12 @@ references: - https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide - https://learn.microsoft.com/en-us/sharepoint/sharepoint-admin-role drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml b/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml index 97c1ff453f..594c9a1248 100644 --- a/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml +++ b/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml @@ -19,12 +19,12 @@ references: - https://www.alteredsecurity.com/post/introduction-to-365-stealer - https://github.com/AlteredSecurity/365-Stealer drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_mailbox_email_forwarding_enabled.yml b/detections/cloud/o365_mailbox_email_forwarding_enabled.yml index cdbce25887..30b0618fee 100644 --- a/detections/cloud/o365_mailbox_email_forwarding_enabled.yml +++ b/detections/cloud/o365_mailbox_email_forwarding_enabled.yml @@ -14,12 +14,12 @@ references: - https://attack.mitre.org/techniques/T1114/003/ - https://learn.microsoft.com/en-us/exchange/recipients/user-mailboxes/email-forwarding?view=exchserver-2019 drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml b/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml index b7979710a6..67172ac2aa 100644 --- a/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml +++ b/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml @@ -15,12 +15,12 @@ references: - https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxodlgt/5610c6e6-3268-44e3-adff-8804f5315946 - https://learn.microsoft.com/en-us/purview/audit-mailboxes drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_mailbox_folder_read_permission_granted.yml b/detections/cloud/o365_mailbox_folder_read_permission_granted.yml index f9048e3cb4..79288005d8 100644 --- a/detections/cloud/o365_mailbox_folder_read_permission_granted.yml +++ b/detections/cloud/o365_mailbox_folder_read_permission_granted.yml @@ -15,12 +15,12 @@ references: - https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxfolderpermission?view=exchange-ps - https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxfolderpermission?view=exchange-ps drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml b/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml index cbee08d1ba..ea56897f58 100644 --- a/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml +++ b/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml @@ -18,12 +18,12 @@ references: - https://learn.microsoft.com/en-us/purview/audit-mailboxes - https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxodlgt/5610c6e6-3268-44e3-adff-8804f5315946 drilldown_searches: -- name: View the detection results for $MailboxOwnerUPN$ - search: '%original_detection_search% | search MailboxOwnerUPN = $MailboxOwnerUPN$' +- name: View the detection results for - "$MailboxOwnerUPN$" + search: '%original_detection_search% | search MailboxOwnerUPN = "$MailboxOwnerUPN$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $MailboxOwnerUPN$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($MailboxOwnerUPN$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$MailboxOwnerUPN$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$MailboxOwnerUPN$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_mailbox_read_access_granted_to_application.yml b/detections/cloud/o365_mailbox_read_access_granted_to_application.yml index c2fc2d7e1c..1259e0e4d7 100644 --- a/detections/cloud/o365_mailbox_read_access_granted_to_application.yml +++ b/detections/cloud/o365_mailbox_read_access_granted_to_application.yml @@ -19,12 +19,12 @@ references: - https://learn.microsoft.com/en-us/graph/permissions-reference - https://graphpermissions.merill.net/permission/Mail.Read drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_multi_source_failed_authentications_spike.yml b/detections/cloud/o365_multi_source_failed_authentications_spike.yml index fc36f99c5b..fb433e0003 100644 --- a/detections/cloud/o365_multi_source_failed_authentications_spike.yml +++ b/detections/cloud/o365_multi_source_failed_authentications_spike.yml @@ -7,32 +7,10 @@ status: production type: Hunting data_source: - O365 UserLoginFailed -description: The following analytic identifies a spike in failed authentication attempts - within an Office 365 environment, indicative of a potential distributed password - spraying attack. It leverages UserLoginFailed events from O365 Management Activity - logs, focusing on ErrorNumber 50126. This detection is significant as it highlights - attempts to bypass security controls using multiple IP addresses and user agents. - If confirmed malicious, this activity could lead to unauthorized access, data breaches, - privilege escalation, and lateral movement within the organization. Early detection - is crucial to prevent account takeovers and mitigate subsequent threats. -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed - ErrorNumber=50126 | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . "-" - . user | stats dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, - dc(src_ip) as uniqueIPs, values(user) as user, values(src_ip) as ips, values(user_agent) - as user_agents by _time | where uniqueIpUserCombinations > 20 AND uniqueUsers > - 20 AND uniqueIPs > 20 | `o365_multi_source_failed_authentications_spike_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest - Office 365 management activity events. The thresholds set within the analytic (such - as unique IPs, unique users, etc.) are initial guidelines and should be customized - based on the organization's user behavior and risk profile. Security teams are encouraged - to adjust these thresholds to optimize the balance between detecting genuine threats - and minimizing false positives, ensuring the detection is tailored to their specific - environment. -known_false_positives: This detection may yield false positives in scenarios where - legitimate bulk sign-in activities occur, such as during company-wide system updates - or when users are accessing resources from varying locations in a short time frame, - such as in the case of VPNs or cloud services that rotate IP addresses. Filter as - needed. +description: The following analytic identifies a spike in failed authentication attempts within an Office 365 environment, indicative of a potential distributed password spraying attack. It leverages UserLoginFailed events from O365 Management Activity logs, focusing on ErrorNumber 50126. This detection is significant as it highlights attempts to bypass security controls using multiple IP addresses and user agents. If confirmed malicious, this activity could lead to unauthorized access, data breaches, privilege escalation, and lateral movement within the organization. Early detection is crucial to prevent account takeovers and mitigate subsequent threats. +search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126 | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . "-" . user | stats dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, values(user) as user, values(src_ip) as ips, values(user_agent) as user_agents by _time | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 | `o365_multi_source_failed_authentications_spike_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. +known_false_positives: This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray @@ -75,7 +53,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distributed_spray.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distributed_spray.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml index f79393dfa5..304455b896 100644 --- a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml +++ b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml @@ -18,12 +18,12 @@ references: - https://github.com/dafthack/MFASweep - https://www.youtube.com/watch?v=SK1zgqaAZ2E drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml index f3dcde9c51..bf554c3746 100644 --- a/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml @@ -14,12 +14,12 @@ known_false_positives: Multiple Failed MFA requests may also be a sign of authen references: - https://attack.mitre.org/techniques/T1621/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml b/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml index 04c08ad475..9bef583fad 100644 --- a/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml +++ b/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml @@ -19,12 +19,12 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ - https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/ews-applications-and-the-exchange-architecture drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_multiple_service_principals_created_by_sp.yml b/detections/cloud/o365_multiple_service_principals_created_by_sp.yml index 6ca318abe3..58f45dcc87 100644 --- a/detections/cloud/o365_multiple_service_principals_created_by_sp.yml +++ b/detections/cloud/o365_multiple_service_principals_created_by_sp.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1136/003/ - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_multiple_service_principals_created_by_user.yml b/detections/cloud/o365_multiple_service_principals_created_by_user.yml index 5bfea935ca..f4dbd4ac6c 100644 --- a/detections/cloud/o365_multiple_service_principals_created_by_user.yml +++ b/detections/cloud/o365_multiple_service_principals_created_by_user.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1136/003/ - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml index 2ffbb4bc6a..2e405cbcb8 100644 --- a/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml @@ -17,12 +17,12 @@ references: - https://www.cisa.gov/uscert/ncas/alerts/aa21-008a - https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_new_email_forwarding_rule_created.yml b/detections/cloud/o365_new_email_forwarding_rule_created.yml index 4166ec0267..5f08054421 100644 --- a/detections/cloud/o365_new_email_forwarding_rule_created.yml +++ b/detections/cloud/o365_new_email_forwarding_rule_created.yml @@ -13,12 +13,12 @@ known_false_positives: Users may create email forwarding rules for legitimate pu references: - https://attack.mitre.org/techniques/T1114/003/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_new_email_forwarding_rule_enabled.yml b/detections/cloud/o365_new_email_forwarding_rule_enabled.yml index 2120683363..1697760b48 100644 --- a/detections/cloud/o365_new_email_forwarding_rule_enabled.yml +++ b/detections/cloud/o365_new_email_forwarding_rule_enabled.yml @@ -13,12 +13,12 @@ known_false_positives: Users may create email forwarding rules for legitimate pu references: - https://attack.mitre.org/techniques/T1114/003/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_new_federated_domain_added.yml b/detections/cloud/o365_new_federated_domain_added.yml index 3715099dd6..429a39b7ea 100644 --- a/detections/cloud/o365_new_federated_domain_added.yml +++ b/detections/cloud/o365_new_federated_domain_added.yml @@ -18,12 +18,12 @@ references: - https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en - https://o365blog.com/post/aadbackdoor/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml b/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml index 402a9ce138..85ed1f33d3 100644 --- a/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml +++ b/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml @@ -15,12 +15,12 @@ references: - https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules - https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rule-actions drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_new_mfa_method_registered.yml b/detections/cloud/o365_new_mfa_method_registered.yml index 6eac24ea7d..d048cad3cf 100644 --- a/detections/cloud/o365_new_mfa_method_registered.yml +++ b/detections/cloud/o365_new_mfa_method_registered.yml @@ -16,12 +16,12 @@ references: - https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/ - https://www.csoonline.com/article/573451/sophisticated-bec-scammers-bypass-microsoft-365-multi-factor-authentication.html drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml b/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml index 23319ba68d..e8ffd9ae71 100644 --- a/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml +++ b/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml @@ -16,12 +16,12 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ - https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/ews-applications-and-the-exchange-architecture drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml b/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml index 1fdc76479e..f4cef3f577 100644 --- a/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml +++ b/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml @@ -16,12 +16,12 @@ references: - https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in - https://learn.microsoft.com/en-us/graph/permissions-reference drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_privileged_graph_api_permission_assigned.yml b/detections/cloud/o365_privileged_graph_api_permission_assigned.yml index 5979dee3be..82fcdc96a7 100644 --- a/detections/cloud/o365_privileged_graph_api_permission_assigned.yml +++ b/detections/cloud/o365_privileged_graph_api_permission_assigned.yml @@ -18,12 +18,12 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ - https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48 drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_privileged_role_assigned.yml b/detections/cloud/o365_privileged_role_assigned.yml index 8ec5f13288..ab7c208b1d 100644 --- a/detections/cloud/o365_privileged_role_assigned.yml +++ b/detections/cloud/o365_privileged_role_assigned.yml @@ -16,12 +16,12 @@ references: - https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference - https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide drilldown_searches: -- name: View the detection results for $user$ and $src_user$ - search: '%original_detection_search% | search user = $user$ src_user = $src_user$' +- name: View the detection results for - "$user$" and "$src_user$" + search: '%original_detection_search% | search user = "$user$" src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml b/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml index fb81ad15bb..23d21f6386 100644 --- a/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml +++ b/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml @@ -17,12 +17,12 @@ references: - https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide - https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5 drilldown_searches: -- name: View the detection results for $user$ and $src_user$ - search: '%original_detection_search% | search user = $user$ src_user = $src_user$' +- name: View the detection results for - "$user$" and "$src_user$" + search: '%original_detection_search% | search user = "$user$" src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_pst_export_alert.yml b/detections/cloud/o365_pst_export_alert.yml index d541f849e6..e6890351e9 100644 --- a/detections/cloud/o365_pst_export_alert.yml +++ b/detections/cloud/o365_pst_export_alert.yml @@ -14,12 +14,12 @@ known_false_positives: PST export can be done for legitimate purposes but due to references: - https://attack.mitre.org/techniques/T1114/ drilldown_searches: -- name: View the detection results for $Source$ - search: '%original_detection_search% | search Source = $Source$' +- name: View the detection results for - "$Source$" + search: '%original_detection_search% | search Source = "$Source$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Source$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Source$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Source$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Source$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_safe_links_detection.yml b/detections/cloud/o365_safe_links_detection.yml index 209a6ce81f..977416fee7 100644 --- a/detections/cloud/o365_safe_links_detection.yml +++ b/detections/cloud/o365_safe_links_detection.yml @@ -15,12 +15,12 @@ references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide - https://attack.mitre.org/techniques/T1566/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_security_and_compliance_alert_triggered.yml b/detections/cloud/o365_security_and_compliance_alert_triggered.yml index 85623c276f..3f63413842 100644 --- a/detections/cloud/o365_security_and_compliance_alert_triggered.yml +++ b/detections/cloud/o365_security_and_compliance_alert_triggered.yml @@ -15,12 +15,12 @@ references: - https://learn.microsoft.com/en-us/purview/alert-policies?view=o365-worldwide - https://learn.microsoft.com/en-us/purview/alert-policies drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_service_principal_new_client_credentials.yml b/detections/cloud/o365_service_principal_new_client_credentials.yml index dc6445fba6..4adc23b23f 100644 --- a/detections/cloud/o365_service_principal_new_client_credentials.yml +++ b/detections/cloud/o365_service_principal_new_client_credentials.yml @@ -17,12 +17,12 @@ references: - https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#add-credentials-to-all-enterprise-applications drilldown_searches: -- name: View the detection results for $object$ - search: '%original_detection_search% | search object = $object$' +- name: View the detection results for - "$object$" + search: '%original_detection_search% | search object = "$object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $object$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($object$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml b/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml index d617f4d65b..1a5827709f 100644 --- a/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml +++ b/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml @@ -14,12 +14,12 @@ known_false_positives: Business approved changes by known administrators. references: - https://learn.microsoft.com/en-us/sharepoint/external-sharing-overview drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_sharepoint_malware_detection.yml b/detections/cloud/o365_sharepoint_malware_detection.yml index a3f16abdef..8f44f69423 100644 --- a/detections/cloud/o365_sharepoint_malware_detection.yml +++ b/detections/cloud/o365_sharepoint_malware_detection.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-for-spo-odfb-teams-about?view=o365-worldwide drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_tenant_wide_admin_consent_granted.yml b/detections/cloud/o365_tenant_wide_admin_consent_granted.yml index a5102fe549..10626951b3 100644 --- a/detections/cloud/o365_tenant_wide_admin_consent_granted.yml +++ b/detections/cloud/o365_tenant_wide_admin_consent_granted.yml @@ -18,12 +18,12 @@ references: - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal - https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml b/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml index e3411b1c2e..f2ed2dcc5b 100644 --- a/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml +++ b/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml @@ -15,12 +15,12 @@ references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-for-spo-odfb-teams-about?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-ti?view=o365-worldwide drilldown_searches: -- name: View the detection results for $user$ and $src_user$ - search: '%original_detection_search% | search user = $user$ src_user = $src_user$' +- name: View the detection results for - "$user$" and "$src_user$" + search: '%original_detection_search% | search user = "$user$" src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_threat_intelligence_suspicious_file_detected.yml b/detections/cloud/o365_threat_intelligence_suspicious_file_detected.yml index faccd235db..0b74f9b17d 100644 --- a/detections/cloud/o365_threat_intelligence_suspicious_file_detected.yml +++ b/detections/cloud/o365_threat_intelligence_suspicious_file_detected.yml @@ -15,12 +15,12 @@ references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-real-time-detections-about?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-for-spo-odfb-teams-about?view=o365-worldwide drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_user_consent_blocked_for_risky_application.yml b/detections/cloud/o365_user_consent_blocked_for_risky_application.yml index 49b8265de6..f2f14f85f0 100644 --- a/detections/cloud/o365_user_consent_blocked_for_risky_application.yml +++ b/detections/cloud/o365_user_consent_blocked_for_risky_application.yml @@ -19,12 +19,12 @@ references: - https://www.alteredsecurity.com/post/introduction-to-365-stealer - https://github.com/AlteredSecurity/365-Stealer drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_user_consent_denied_for_oauth_application.yml b/detections/cloud/o365_user_consent_denied_for_oauth_application.yml index 539c1f065b..bbe450fbe9 100644 --- a/detections/cloud/o365_user_consent_denied_for_oauth_application.yml +++ b/detections/cloud/o365_user_consent_denied_for_oauth_application.yml @@ -19,12 +19,12 @@ references: - https://www.alteredsecurity.com/post/introduction-to-365-stealer - https://github.com/AlteredSecurity/365-Stealer drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/o365_zap_activity_detection.yml b/detections/cloud/o365_zap_activity_detection.yml index 89d7bd4327..8a676ba6d3 100644 --- a/detections/cloud/o365_zap_activity_detection.yml +++ b/detections/cloud/o365_zap_activity_detection.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml index 56c82d08e1..48d79021a3 100644 --- a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml +++ b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml @@ -12,12 +12,12 @@ how_to_implement: Ensure that all relevant detections in the Dev Sec Ops analyti known_false_positives: Unknown references: [] drilldown_searches: -- name: View the detection results for $risk_object$ - search: '%original_detection_search% | search risk_object = $risk_object$' +- name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $risk_object$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($risk_object$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml b/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml index 73351bd7e3..e6c6862533 100644 --- a/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml +++ b/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml @@ -7,23 +7,10 @@ type: TTP status: experimental data_source: - Sysmon EventID 22 -description: The following analytic identifies DNS queries to domains associated with - the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect - these suspicious domain indicators. This activity is significant because it can - indicate a potential compromise stemming from the 3CX supply chain attack, which - is known for distributing malicious software through trusted updates. If confirmed - malicious, this activity could allow attackers to establish a foothold in the network, - exfiltrate sensitive data, or further propagate malware, leading to extensive damage - and data breaches. -search: '| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) - as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup - 3cx_ioc_domains domain as query OUTPUT Description isIOC | search isIOC=true | `3cx_supply_chain_attack_network_indicators_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - into the `Network Resolution` datamodel in the `DNS` node. In addition, confirm - the latest CIM App 4.20 or higher is installed and the latest TA''s are installed. -known_false_positives: False positives will be present for accessing the 3cx[.]com - website. Remove from the lookup as needed. +description: The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches. +search: '| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup 3cx_ioc_domains domain as query OUTPUT Description isIOC | search isIOC=true | `3cx_supply_chain_attack_network_indicators_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information into the `Network Resolution` datamodel in the `DNS` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA''s are installed. +known_false_positives: False positives will be present for accessing the 3cx[.]com website. Remove from the lookup as needed. references: - https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ - https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp @@ -63,7 +50,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_network-windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_network-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/7zip_commandline_to_smb_share_path.yml b/detections/endpoint/7zip_commandline_to_smb_share_path.yml index 12be759a8a..71873d5e3c 100644 --- a/detections/endpoint/7zip_commandline_to_smb_share_path.yml +++ b/detections/endpoint/7zip_commandline_to_smb_share_path.yml @@ -5,35 +5,13 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of 7z or 7za processes with - command lines pointing to SMB network shares. It leverages data from Endpoint Detection - and Response (EDR) agents, focusing on process names and command-line arguments. - This activity is significant as it may indicate an attempt to archive and exfiltrate - sensitive files to a network share, a technique observed in CONTI LEAK tools. If - confirmed malicious, this behavior could lead to data exfiltration, compromising - sensitive information and potentially aiding further attacks. +description: The following analytic detects the execution of 7z or 7za processes with command lines pointing to SMB network shares. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to archive and exfiltrate sensitive files to a network share, a technique observed in CONTI LEAK tools. If confirmed malicious, this behavior could lead to data exfiltration, compromising sensitive information and potentially aiding further attacks. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name ="7z.exe" - OR Processes.process_name = "7za.exe" OR Processes.original_file_name = "7z.exe" - OR Processes.original_file_name = "7za.exe") AND (Processes.process="*\\C$\\*" - OR Processes.process="*\\Admin$\\*" OR Processes.process="*\\IPC$\\*") by Processes.original_file_name - Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process - Processes.parent_process_id Processes.process_id Processes.dest Processes.user - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `7zip_commandline_to_smb_share_path_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name ="7z.exe" OR Processes.process_name = "7za.exe" OR Processes.original_file_name = "7z.exe" OR Processes.original_file_name = "7za.exe") AND (Processes.process="*\\C$\\*" OR Processes.process="*\\Admin$\\*" OR Processes.process="*\\IPC$\\*") by Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.parent_process_id Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `7zip_commandline_to_smb_share_path_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: unknown references: - https://threadreaderapp.com/thread/1423361119926816776.html @@ -43,8 +21,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: archive process $process_name$ with suspicious cmdline $process$ in host - $dest$ + message: archive process $process_name$ with suspicious cmdline $process$ in host $dest$ mitre_attack_id: - T1560.001 - T1560 @@ -76,7 +53,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon_7z.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon_7z.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/access_lsass_memory_for_dump_creation.yml b/detections/endpoint/access_lsass_memory_for_dump_creation.yml index 854810650a..c26fa2f16d 100644 --- a/detections/endpoint/access_lsass_memory_for_dump_creation.yml +++ b/detections/endpoint/access_lsass_memory_for_dump_creation.yml @@ -14,12 +14,12 @@ known_false_positives: Administrators can create memory dumps for debugging purp references: - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/account_discovery_with_net_app.yml b/detections/endpoint/account_discovery_with_net_app.yml index 0674cfd198..e5d8aedc23 100644 --- a/detections/endpoint/account_discovery_with_net_app.yml +++ b/detections/endpoint/account_discovery_with_net_app.yml @@ -18,12 +18,12 @@ references: - https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/ - https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/active_directory_lateral_movement_identified.yml b/detections/endpoint/active_directory_lateral_movement_identified.yml index 5b7bfabced..dd1b694964 100644 --- a/detections/endpoint/active_directory_lateral_movement_identified.yml +++ b/detections/endpoint/active_directory_lateral_movement_identified.yml @@ -14,12 +14,12 @@ references: - https://attack.mitre.org/tactics/TA0008/ - https://research.splunk.com/stories/active_directory_lateral_movement/ drilldown_searches: -- name: View the detection results for $risk_object$ - search: '%original_detection_search% | search risk_object = $risk_object$' +- name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $risk_object$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($risk_object$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/active_directory_privilege_escalation_identified.yml b/detections/endpoint/active_directory_privilege_escalation_identified.yml index e45fef7257..8e6d7b4536 100644 --- a/detections/endpoint/active_directory_privilege_escalation_identified.yml +++ b/detections/endpoint/active_directory_privilege_escalation_identified.yml @@ -14,12 +14,12 @@ references: - https://attack.mitre.org/tactics/TA0004/ - https://research.splunk.com/stories/active_directory_privilege_escalation/ drilldown_searches: -- name: View the detection results for $risk_object$ - search: '%original_detection_search% | search risk_object = $risk_object$' +- name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $risk_object$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($risk_object$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/active_setup_registry_autostart.yml b/detections/endpoint/active_setup_registry_autostart.yml index 31c67de039..3b7773c18a 100644 --- a/detections/endpoint/active_setup_registry_autostart.yml +++ b/detections/endpoint/active_setup_registry_autostart.yml @@ -16,12 +16,12 @@ references: - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor%3AWin32%2FPoisonivy.E - https://attack.mitre.org/techniques/T1547/014/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/add_defaultuser_and_password_in_registry.yml b/detections/endpoint/add_defaultuser_and_password_in_registry.yml index 24a8f7ad65..810006c1ea 100644 --- a/detections/endpoint/add_defaultuser_and_password_in_registry.yml +++ b/detections/endpoint/add_defaultuser_and_password_in_registry.yml @@ -15,12 +15,12 @@ known_false_positives: unknown references: - https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/add_or_set_windows_defender_exclusion.yml b/detections/endpoint/add_or_set_windows_defender_exclusion.yml index b5afa74f41..14ba3a5c23 100644 --- a/detections/endpoint/add_or_set_windows_defender_exclusion.yml +++ b/detections/endpoint/add_or_set_windows_defender_exclusion.yml @@ -18,12 +18,12 @@ references: - https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/ - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/adsisearcher_account_discovery.yml b/detections/endpoint/adsisearcher_account_discovery.yml index ef968efa08..abe5faa710 100644 --- a/detections/endpoint/adsisearcher_account_discovery.yml +++ b/detections/endpoint/adsisearcher_account_discovery.yml @@ -16,12 +16,12 @@ references: - https://www.blackhillsinfosec.com/red-blue-purple/ - https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml index f7b59e9a61..e915e23406 100644 --- a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml +++ b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml @@ -17,12 +17,12 @@ references: - https://community.fortinet.com:443/t5/FortiEDR/How-FortiEDR-detects-and-blocks-Revil-Ransomware-aka-sodinokibi/ta-p/189638?externalID=FD52469 - https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml index 02697cb170..457ded1701 100644 --- a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml +++ b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml @@ -15,12 +15,12 @@ known_false_positives: network admin may add/remove/modify public inbound firewa references: - https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml b/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml index 52ad875711..c26dfe87ae 100644 --- a/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml +++ b/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml @@ -14,12 +14,12 @@ known_false_positives: administrator may allow inbound traffic in certain networ references: - https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/allow_network_discovery_in_firewall.yml b/detections/endpoint/allow_network_discovery_in_firewall.yml index b84d112ab1..ec58bec71c 100644 --- a/detections/endpoint/allow_network_discovery_in_firewall.yml +++ b/detections/endpoint/allow_network_discovery_in_firewall.yml @@ -17,12 +17,12 @@ references: - https://community.fortinet.com:443/t5/FortiEDR/How-FortiEDR-detects-and-blocks-Revil-Ransomware-aka-sodinokibi/ta-p/189638?externalID=FD52469 - https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/allow_operation_with_consent_admin.yml b/detections/endpoint/allow_operation_with_consent_admin.yml index 116b9ae870..acefa48c4d 100644 --- a/detections/endpoint/allow_operation_with_consent_admin.yml +++ b/detections/endpoint/allow_operation_with_consent_admin.yml @@ -16,12 +16,12 @@ references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4 - https://www.trendmicro.com/vinfo/no/threat-encyclopedia/malware/Ransom.Win32.MRDEC.MRA/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/anomalous_usage_of_7zip.yml b/detections/endpoint/anomalous_usage_of_7zip.yml index a6237afd59..6c7eda482c 100644 --- a/detections/endpoint/anomalous_usage_of_7zip.yml +++ b/detections/endpoint/anomalous_usage_of_7zip.yml @@ -18,12 +18,12 @@ references: - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ - https://thedfirreport.com/2021/01/31/bazar-no-ryuk/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/any_powershell_downloadfile.yml b/detections/endpoint/any_powershell_downloadfile.yml index 9876187734..0e86cc6a14 100644 --- a/detections/endpoint/any_powershell_downloadfile.yml +++ b/detections/endpoint/any_powershell_downloadfile.yml @@ -18,12 +18,12 @@ references: - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/any_powershell_downloadstring.yml b/detections/endpoint/any_powershell_downloadstring.yml index 58c4481dd5..8cf3f150b6 100644 --- a/detections/endpoint/any_powershell_downloadstring.yml +++ b/detections/endpoint/any_powershell_downloadstring.yml @@ -19,12 +19,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/attacker_tools_on_endpoint.yml b/detections/endpoint/attacker_tools_on_endpoint.yml index f94ddaeeff..8e608cb29d 100644 --- a/detections/endpoint/attacker_tools_on_endpoint.yml +++ b/detections/endpoint/attacker_tools_on_endpoint.yml @@ -15,12 +15,12 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: Some administrator activity can be potentially triggered, please add those users to the filter macro. references: [] drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml index 627e32bac4..298cc14346 100644 --- a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml +++ b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml @@ -16,12 +16,12 @@ known_false_positives: There may be legitimate reasons for administrators to add references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/attempt_to_stop_security_service.yml b/detections/endpoint/attempt_to_stop_security_service.yml index 7e99c541b6..5c691e1f70 100644 --- a/detections/endpoint/attempt_to_stop_security_service.yml +++ b/detections/endpoint/attempt_to_stop_security_service.yml @@ -17,12 +17,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-14---disable-arbitrary-security-windows-service - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml b/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml index 7cd790ad40..8adca0282a 100644 --- a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml +++ b/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml @@ -16,12 +16,12 @@ known_false_positives: None identified. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/auto_admin_logon_registry_entry.yml b/detections/endpoint/auto_admin_logon_registry_entry.yml index 7bcf1ac4b4..d114d607bd 100644 --- a/detections/endpoint/auto_admin_logon_registry_entry.yml +++ b/detections/endpoint/auto_admin_logon_registry_entry.yml @@ -15,12 +15,12 @@ known_false_positives: unknown references: - https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/batch_file_write_to_system32.yml b/detections/endpoint/batch_file_write_to_system32.yml index c2774b6911..f835fc5114 100644 --- a/detections/endpoint/batch_file_write_to_system32.yml +++ b/detections/endpoint/batch_file_write_to_system32.yml @@ -13,12 +13,12 @@ how_to_implement: To successfully implement this search you need to be ingesting known_false_positives: It is possible for this search to generate a notable event for a batch file write to a path that includes the string "system32", but is not the actual Windows system directory. As such, you should confirm the path of the batch file identified by the search. In addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. You should confirm that the activity is legitimate and modify the search to add exclusions, as necessary. references: [] drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml index 56c7475a0a..65a28615e6 100644 --- a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml +++ b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/bcdedit_failure_recovery_modification.yml b/detections/endpoint/bcdedit_failure_recovery_modification.yml index 7b13779b5f..a1745ecbb9 100644 --- a/detections/endpoint/bcdedit_failure_recovery_modification.yml +++ b/detections/endpoint/bcdedit_failure_recovery_modification.yml @@ -16,12 +16,12 @@ known_false_positives: Administrators may modify the boot configuration. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-4---windows---disable-windows-recovery-console-repair drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/bits_job_persistence.yml b/detections/endpoint/bits_job_persistence.yml index e01306db54..22b3f92dde 100644 --- a/detections/endpoint/bits_job_persistence.yml +++ b/detections/endpoint/bits_job_persistence.yml @@ -19,12 +19,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md#atomic-test-3---persist-download--execute - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/bitsadmin_download_file.yml b/detections/endpoint/bitsadmin_download_file.yml index 7d57f3059c..5f2db72ccd 100644 --- a/detections/endpoint/bitsadmin_download_file.yml +++ b/detections/endpoint/bitsadmin_download_file.yml @@ -19,12 +19,12 @@ references: - https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml index 026074f00b..b1c1f7e2a5 100644 --- a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml @@ -18,12 +18,12 @@ references: - https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats - https://web.archive.org/web/20210921110637/https://www.fireeye.com/blog/threat-research/2019/10/certutil-qualms-they-came-to-drop-fombs.html drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml index e9750ae0dc..8d349f5391 100644 --- a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml @@ -19,12 +19,12 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#-verifyctl - https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/certutil_exe_certificate_extraction.yml b/detections/endpoint/certutil_exe_certificate_extraction.yml index a9fcd5b7a0..61a51e3950 100644 --- a/detections/endpoint/certutil_exe_certificate_extraction.yml +++ b/detections/endpoint/certutil_exe_certificate_extraction.yml @@ -17,12 +17,12 @@ references: - https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack - https://strontic.github.io/xcyclopedia/library/certutil.exe-09A8A29BAA3A451713FD3D07943B4A43.html drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/certutil_with_decode_argument.yml b/detections/endpoint/certutil_with_decode_argument.yml index 24edc9919a..f1e9d823ed 100644 --- a/detections/endpoint/certutil_with_decode_argument.yml +++ b/detections/endpoint/certutil_with_decode_argument.yml @@ -19,12 +19,12 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/change_default_file_association.yml b/detections/endpoint/change_default_file_association.yml index 9b258465d4..2cf5dc4d06 100644 --- a/detections/endpoint/change_default_file_association.yml +++ b/detections/endpoint/change_default_file_association.yml @@ -15,12 +15,12 @@ known_false_positives: unknown references: - https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/accessibility-features drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/change_to_safe_mode_with_network_config.yml b/detections/endpoint/change_to_safe_mode_with_network_config.yml index 3b77f35c54..3b1c5a3fc8 100644 --- a/detections/endpoint/change_to_safe_mode_with_network_config.yml +++ b/detections/endpoint/change_to_safe_mode_with_network_config.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/chcp_command_execution.yml b/detections/endpoint/chcp_command_execution.yml index c411d3a4df..cf5f6e3aba 100644 --- a/detections/endpoint/chcp_command_execution.yml +++ b/detections/endpoint/chcp_command_execution.yml @@ -17,12 +17,12 @@ references: - https://ss64.com/nt/chcp.html - https://twitter.com/tccontre18/status/1419941156633329665?s=20 drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/check_elevated_cmd_using_whoami.yml b/detections/endpoint/check_elevated_cmd_using_whoami.yml index f60326d3fc..fb451f78e1 100644 --- a/detections/endpoint/check_elevated_cmd_using_whoami.yml +++ b/detections/endpoint/check_elevated_cmd_using_whoami.yml @@ -15,12 +15,12 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: unknown references: [] drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/child_processes_of_spoolsv_exe.yml b/detections/endpoint/child_processes_of_spoolsv_exe.yml index c42302a027..5e1a946f1a 100644 --- a/detections/endpoint/child_processes_of_spoolsv_exe.yml +++ b/detections/endpoint/child_processes_of_spoolsv_exe.yml @@ -5,36 +5,14 @@ date: '2024-10-17' author: Rico Valdez, Splunk status: experimental type: TTP -description: The following analytic identifies child processes spawned by spoolsv.exe, - the Print Spooler service in Windows, which typically runs with SYSTEM privileges. - This detection leverages data from Endpoint Detection and Response (EDR) agents, - focusing on process and parent process relationships. Monitoring this activity is - crucial as it can indicate exploitation attempts, such as those associated with - CVE-2018-8440, which can lead to privilege escalation. If confirmed malicious, attackers - could gain SYSTEM-level access, allowing them to execute arbitrary code, escalate - privileges, and potentially compromise the entire system. +description: The following analytic identifies child processes spawned by spoolsv.exe, the Print Spooler service in Windows, which typically runs with SYSTEM privileges. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. Monitoring this activity is crucial as it can indicate exploitation attempts, such as those associated with CVE-2018-8440, which can lead to privilege escalation. If confirmed malicious, attackers could gain SYSTEM-level access, allowing them to execute arbitrary code, escalate privileges, and potentially compromise the entire system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process_name) - as process_name values(Processes.process) as process min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe - AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process - Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Some legitimate printer-related processes may show up as children - of spoolsv.exe. You should confirm that any activity as legitimate and may be added - as exclusions in the search. +search: '| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Some legitimate printer-related processes may show up as children of spoolsv.exe. You should confirm that any activity as legitimate and may be added as exclusions in the search. references: [] tags: analytic_story: diff --git a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml index 41af987b76..46476e654e 100644 --- a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml +++ b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml @@ -17,12 +17,12 @@ references: - https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/ - https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-ransomware-behavior-report.pdf drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/clop_common_exec_parameter.yml b/detections/endpoint/clop_common_exec_parameter.yml index 81de547ccc..1d79649be3 100644 --- a/detections/endpoint/clop_common_exec_parameter.yml +++ b/detections/endpoint/clop_common_exec_parameter.yml @@ -17,12 +17,12 @@ references: - https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft - https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/clop_ransomware_known_service_name.yml b/detections/endpoint/clop_ransomware_known_service_name.yml index 18abb9f5ed..f0e39741e1 100644 --- a/detections/endpoint/clop_ransomware_known_service_name.yml +++ b/detections/endpoint/clop_ransomware_known_service_name.yml @@ -15,12 +15,12 @@ references: - https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft - https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index 027cda53a0..993c1a9197 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -5,34 +5,14 @@ date: '2024-10-17' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Hunting -description: The following analytic detects the use of `cmd.exe /c` to execute commands, - a technique often employed by adversaries and malware to run batch commands or invoke - other shells like PowerShell. This detection leverages data from Endpoint Detection - and Response (EDR) agents, focusing on command-line executions and process metadata. - Monitoring this activity is crucial as it can indicate script-based attacks or unauthorized - command execution. If confirmed malicious, this behavior could lead to unauthorized - code execution, privilege escalation, or persistence within the environment. +description: The following analytic detects the use of `cmd.exe /c` to execute commands, a technique often employed by adversaries and malware to run batch commands or invoke other shells like PowerShell. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. Monitoring this activity is crucial as it can indicate script-based attacks or unauthorized command execution. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process="* - /c*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process - Processes.process_name Processes.original_file_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: False positives may be high based on legitimate scripted code - in any environment. Filter as needed. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process="* /c*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives may be high based on legitimate scripted code in any environment. Filter as needed. references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ @@ -64,8 +44,7 @@ tags: cve: - CVE-2021-44228 impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting spawn a new process. + message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting spawn a new process. mitre_attack_id: - T1059.003 - T1059 @@ -98,7 +77,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/cmd_carry_str_param/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/cmd_carry_str_param/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/cmd_echo_pipe___escalation.yml b/detections/endpoint/cmd_echo_pipe___escalation.yml index b1cd85391b..dd4902e31f 100644 --- a/detections/endpoint/cmd_echo_pipe___escalation.yml +++ b/detections/endpoint/cmd_echo_pipe___escalation.yml @@ -17,12 +17,12 @@ references: - https://redcanary.com/threat-detection-report/threats/cobalt-strike/ - https://github.com/rapid7/meterpreter/blob/master/source/extensions/priv/server/elevate/namedpipe.c drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml b/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml index 9d86462902..c72cf1154f 100644 --- a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml +++ b/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml @@ -18,12 +18,12 @@ references: - https://attack.mitre.org/groups/G0046/ - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml index 3180cef0aa..93a677c2f9 100644 --- a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml @@ -14,12 +14,12 @@ known_false_positives: Legitimate windows application that are not on the list l references: - https://attack.mitre.org/techniques/T1218/003/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/cobalt_strike_named_pipes.yml b/detections/endpoint/cobalt_strike_named_pipes.yml index 9e52adad9f..834651ff2f 100644 --- a/detections/endpoint/cobalt_strike_named_pipes.yml +++ b/detections/endpoint/cobalt_strike_named_pipes.yml @@ -20,12 +20,12 @@ references: - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 - https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/common_ransomware_extensions.yml b/detections/endpoint/common_ransomware_extensions.yml index abcf061f73..818569d4b6 100644 --- a/detections/endpoint/common_ransomware_extensions.yml +++ b/detections/endpoint/common_ransomware_extensions.yml @@ -5,33 +5,12 @@ date: '2024-10-17' author: David Dorsey, Michael Haag, Splunk, Steven Dick status: production type: Hunting -description: "The following analytic detects modifications to files with extensions - commonly associated with ransomware. It leverages the Endpoint.Filesystem data model - to identify changes in file extensions that match known ransomware patterns. This - activity is significant because it suggests an attacker is attempting to encrypt - or alter files, potentially leading to severe data loss and operational disruption. - If confirmed malicious, this activity could result in the encryption of critical - data, rendering it inaccessible and causing significant damage to the organization's - data integrity and availability." +description: The following analytic detects modifications to files with extensions commonly associated with ransomware. It leverages the Endpoint.Filesystem data model to identify changes in file extensions that match known ransomware patterns. This activity is significant because it suggests an attacker is attempting to encrypt or alter files, potentially leading to severe data loss and operational disruption. If confirmed malicious, this activity could result in the encryption of critical data, rendering it inaccessible and causing significant damage to the organization's data integrity and availability. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) - as lastTime count latest(Filesystem.user) as user values(Filesystem.file_path) as - file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest - _time span=1h | `drop_dm_object_name(Filesystem)` | rex field=file_name "(?\.[^\.]+)$" - | rex field=file_path "(?([^\\\]*\\\)*).*" | stats min(firstTime) - as firstTime max(lastTime) as lastTime latest(user) as user dc(true_file_path) as - path_count dc(file_name) as file_count latest(file_name) as file_name latest(true_file_path) - as file_path by dest file_extension | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` - | `ransomware_extensions` | where path_count > 1 OR file_count > 20 | `common_ransomware_extensions_filter`' -how_to_implement: 'You must be ingesting data that records the filesystem activity - from your hosts to populate the Endpoint Filesystem data model node. To see the - additional metadata, add the following fields, if not already present, please review - the detailed documentation on how to create a new field within Incident Review may - be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`' -known_false_positives: It is possible for a legitimate file with these extensions - to be created. If this is a true ransomware attack, there will be a large number - of files created with these extensions. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime count latest(Filesystem.user) as user values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest _time span=1h | `drop_dm_object_name(Filesystem)` | rex field=file_name "(?\.[^\.]+)$" | rex field=file_path "(?([^\\\]*\\\)*).*" | stats min(firstTime) as firstTime max(lastTime) as lastTime latest(user) as user dc(true_file_path) as path_count dc(file_name) as file_count latest(file_name) as file_name latest(true_file_path) as file_path by dest file_extension | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_extensions` | where path_count > 1 OR file_count > 20 | `common_ransomware_extensions_filter`' +how_to_implement: 'You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data model node. To see the additional metadata, add the following fields, if not already present, please review the detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`' +known_false_positives: It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions. references: - https://github.com/splunk/security_content/issues/2448 tags: @@ -46,9 +25,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 90 - message: The device $dest$ wrote $file_count$ files to $path_count$ path(s) with - the $file_extension$ extension. This extension and behavior may indicate a $Name$ - ransomware attack. + message: The device $dest$ wrote $file_count$ files to $path_count$ path(s) with the $file_extension$ extension. This extension and behavior may indicate a $Name$ ransomware attack. mitre_attack_id: - T1485 observable: @@ -75,7 +52,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/ransom-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/ransom-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/common_ransomware_notes.yml b/detections/endpoint/common_ransomware_notes.yml index 1725ba09fd..f4ca5f9f09 100644 --- a/detections/endpoint/common_ransomware_notes.yml +++ b/detections/endpoint/common_ransomware_notes.yml @@ -5,27 +5,12 @@ date: '2024-10-17' author: David Dorsey, Splunk status: production type: Hunting -description: The following analytic detects the creation of files with names commonly - associated with ransomware notes. It leverages file-system activity data from the - Endpoint Filesystem data model, typically populated by endpoint detection and response - (EDR) tools or Sysmon logs. This activity is significant because ransomware notes - indicate a potential ransomware attack, which can lead to data encryption and extortion. - If confirmed malicious, this activity could result in significant data loss, operational - disruption, and financial impact due to ransom demands. +description: The following analytic detects the creation of files with names commonly associated with ransomware notes. It leverages file-system activity data from the Endpoint Filesystem data model, typically populated by endpoint detection and response (EDR) tools or Sysmon logs. This activity is significant because ransomware notes indicate a potential ransomware attack, which can lead to data encryption and extortion. If confirmed malicious, this activity could result in significant data loss, operational disruption, and financial impact due to ransom demands. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) - as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` - | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_notes` - | `common_ransomware_notes_filter`' -how_to_implement: You must be ingesting data that records file-system activity from - your hosts to populate the Endpoint Filesystem data-model node. This is typically - populated via endpoint detection-and-response product, such as Carbon Black, or - via other endpoint data sources, such as Sysmon. The data used for this search is - typically generated via logs that report file-system reads and writes. -known_false_positives: It's possible that a legitimate file could be created with - the same name used by ransomware note files. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_notes` | `common_ransomware_notes_filter`' +how_to_implement: You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes. +known_false_positives: It's possible that a legitimate file could be created with the same name used by ransomware note files. references: [] tags: analytic_story: @@ -39,8 +24,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 90 - message: A file - $file_name$ was written to disk on endpoint $dest$ by user $user$, - this is indicative of a known ransomware note file and should be reviewed immediately. + message: A file - $file_name$ was written to disk on endpoint $dest$ by user $user$, this is indicative of a known ransomware note file and should be reviewed immediately. mitre_attack_id: - T1485 observable: @@ -71,7 +55,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/connectwise_screenconnect_path_traversal.yml b/detections/endpoint/connectwise_screenconnect_path_traversal.yml index 27a488a520..ff931ce485 100644 --- a/detections/endpoint/connectwise_screenconnect_path_traversal.yml +++ b/detections/endpoint/connectwise_screenconnect_path_traversal.yml @@ -16,12 +16,12 @@ references: - https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2 - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml b/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml index f33813226a..20524735b2 100644 --- a/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml +++ b/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml @@ -17,12 +17,12 @@ references: - https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2 - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/conti_common_exec_parameter.yml b/detections/endpoint/conti_common_exec_parameter.yml index 939a31b640..dba79959d6 100644 --- a/detections/endpoint/conti_common_exec_parameter.yml +++ b/detections/endpoint/conti_common_exec_parameter.yml @@ -16,12 +16,12 @@ known_false_positives: 3rd party tool may have commandline parameter that can tr references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.conti drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/control_loading_from_world_writable_directory.yml b/detections/endpoint/control_loading_from_world_writable_directory.yml index 1506a229f7..7e55e49eab 100644 --- a/detections/endpoint/control_loading_from_world_writable_directory.yml +++ b/detections/endpoint/control_loading_from_world_writable_directory.yml @@ -20,12 +20,12 @@ references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/create_local_admin_accounts_using_net_exe.yml b/detections/endpoint/create_local_admin_accounts_using_net_exe.yml index 5ea9e7750c..afa8171ec4 100644 --- a/detections/endpoint/create_local_admin_accounts_using_net_exe.yml +++ b/detections/endpoint/create_local_admin_accounts_using_net_exe.yml @@ -15,12 +15,12 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: Administrators often leverage net.exe to create admin accounts. references: [] drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml index 42fe060360..a2f645d962 100644 --- a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml +++ b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml @@ -16,12 +16,12 @@ known_false_positives: Administrators often leverage net.exe to create or delete references: - https://attack.mitre.org/techniques/T1070/005/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/create_remote_thread_in_shell_application.yml b/detections/endpoint/create_remote_thread_in_shell_application.yml index c352876050..d628c43f6b 100644 --- a/detections/endpoint/create_remote_thread_in_shell_application.yml +++ b/detections/endpoint/create_remote_thread_in_shell_application.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/create_remote_thread_into_lsass.yml b/detections/endpoint/create_remote_thread_into_lsass.yml index fa4eda728d..50b28812d4 100644 --- a/detections/endpoint/create_remote_thread_into_lsass.yml +++ b/detections/endpoint/create_remote_thread_into_lsass.yml @@ -14,12 +14,12 @@ known_false_positives: Other tools can access LSASS for legitimate reasons and g references: - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml index d0412e5bab..37b2a6b958 100644 --- a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml +++ b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml @@ -16,12 +16,12 @@ references: - https://attack.mitre.org/techniques/T1003/001/ - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/creation_of_shadow_copy.yml b/detections/endpoint/creation_of_shadow_copy.yml index c88288227b..7a2fe63f71 100644 --- a/detections/endpoint/creation_of_shadow_copy.yml +++ b/detections/endpoint/creation_of_shadow_copy.yml @@ -17,12 +17,12 @@ references: - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf - https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml index b69fccce57..fc2051438e 100644 --- a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml +++ b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml @@ -17,12 +17,12 @@ references: - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf - https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml index d713b64287..14f5e9b08c 100644 --- a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml +++ b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml index b06ba10417..812446cfa7 100644 --- a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml +++ b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/crowdstrike_admin_weak_password_policy.yml b/detections/endpoint/crowdstrike_admin_weak_password_policy.yml index 6d87e2c6f5..ba86802987 100644 --- a/detections/endpoint/crowdstrike_admin_weak_password_policy.yml +++ b/detections/endpoint/crowdstrike_admin_weak_password_policy.yml @@ -13,12 +13,12 @@ known_false_positives: unknown references: - https://www.crowdstrike.com/wp-content/uploads/2022/12/CrowdStrike-Falcon-Event-Streams-Add-on-Guide-v3.pdf drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml b/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml index e3a634b774..e79de23f10 100644 --- a/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml +++ b/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml @@ -13,12 +13,12 @@ known_false_positives: unknown references: - https://www.crowdstrike.com/wp-content/uploads/2022/12/CrowdStrike-Falcon-Event-Streams-Add-on-Guide-v3.pdf drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/crowdstrike_high_identity_risk_severity.yml b/detections/endpoint/crowdstrike_high_identity_risk_severity.yml index 2043ab335a..29dfcd8537 100644 --- a/detections/endpoint/crowdstrike_high_identity_risk_severity.yml +++ b/detections/endpoint/crowdstrike_high_identity_risk_severity.yml @@ -13,12 +13,12 @@ known_false_positives: unknown references: - https://www.crowdstrike.com/wp-content/uploads/2022/12/CrowdStrike-Falcon-Event-Streams-Add-on-Guide-v3.pdf drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml b/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml index 44eb51de15..287e827d22 100644 --- a/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml +++ b/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml @@ -13,12 +13,12 @@ known_false_positives: unknown references: - https://www.crowdstrike.com/wp-content/uploads/2022/12/CrowdStrike-Falcon-Event-Streams-Add-on-Guide-v3.pdf drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/crowdstrike_medium_severity_alert.yml b/detections/endpoint/crowdstrike_medium_severity_alert.yml index 94b1af113a..4434865a56 100644 --- a/detections/endpoint/crowdstrike_medium_severity_alert.yml +++ b/detections/endpoint/crowdstrike_medium_severity_alert.yml @@ -13,12 +13,12 @@ known_false_positives: unknown references: - https://www.crowdstrike.com/wp-content/uploads/2022/12/CrowdStrike-Falcon-Event-Streams-Add-on-Guide-v3.pdf drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml b/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml index 45dda2566b..f0ae09358a 100644 --- a/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml +++ b/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml @@ -13,12 +13,12 @@ known_false_positives: unknown references: - https://www.crowdstrike.com/wp-content/uploads/2022/12/CrowdStrike-Falcon-Event-Streams-Add-on-Guide-v3.pdf drilldown_searches: -- name: View the detection results for $src_host$ - search: '%original_detection_search% | search src_host = $src_host$' +- name: View the detection results for - "$src_host$" + search: '%original_detection_search% | search src_host = "$src_host$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_host$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_host$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_host$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml b/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml index 31c4bca624..6580ceb4ee 100644 --- a/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml +++ b/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml @@ -13,12 +13,12 @@ known_false_positives: unknown references: - https://www.crowdstrike.com/wp-content/uploads/2022/12/CrowdStrike-Falcon-Event-Streams-Add-on-Guide-v3.pdf drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/crowdstrike_user_weak_password_policy.yml b/detections/endpoint/crowdstrike_user_weak_password_policy.yml index 70d496763b..88c8cb2623 100644 --- a/detections/endpoint/crowdstrike_user_weak_password_policy.yml +++ b/detections/endpoint/crowdstrike_user_weak_password_policy.yml @@ -13,12 +13,12 @@ known_false_positives: unknown references: - https://www.crowdstrike.com/wp-content/uploads/2022/12/CrowdStrike-Falcon-Event-Streams-Add-on-Guide-v3.pdf drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/crowdstrike_user_with_duplicate_password.yml b/detections/endpoint/crowdstrike_user_with_duplicate_password.yml index 6e926c1fb5..1644e8c058 100644 --- a/detections/endpoint/crowdstrike_user_with_duplicate_password.yml +++ b/detections/endpoint/crowdstrike_user_with_duplicate_password.yml @@ -13,12 +13,12 @@ known_false_positives: unknown references: - https://www.crowdstrike.com/wp-content/uploads/2022/12/CrowdStrike-Falcon-Event-Streams-Add-on-Guide-v3.pdf drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/csc_net_on_the_fly_compilation.yml b/detections/endpoint/csc_net_on_the_fly_compilation.yml index 85a3f0481d..aada2ca714 100644 --- a/detections/endpoint/csc_net_on_the_fly_compilation.yml +++ b/detections/endpoint/csc_net_on_the_fly_compilation.yml @@ -5,37 +5,14 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the use of the .NET compiler csc.exe for - on-the-fly compilation of potentially malicious .NET code. It leverages data from - Endpoint Detection and Response (EDR) agents, focusing on specific command-line - patterns associated with csc.exe. This activity is significant because adversaries - and malware often use this technique to evade detection by compiling malicious code - at runtime. If confirmed malicious, this could allow attackers to execute arbitrary - code, potentially leading to system compromise, data exfiltration, or further lateral - movement within the network. +description: The following analytic detects the use of the .NET compiler csc.exe for on-the-fly compilation of potentially malicious .NET code. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with csc.exe. This activity is significant because adversaries and malware often use this technique to evade detection by compiling malicious code at runtime. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_csc` Processes.process - = "*/noconfig*" Processes.process = "*/fullpaths*" Processes.process = "*@*" by - Processes.dest Processes.user Processes.parent_process_name Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `csc_net_on_the_fly_compilation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: A network operator or systems administrator may utilize an - automated powershell script taht execute .net code that may generate false positive. - filter is needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_csc` Processes.process = "*/noconfig*" Processes.process = "*/fullpaths*" Processes.process = "*@*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `csc_net_on_the_fly_compilation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: A network operator or systems administrator may utilize an automated powershell script taht execute .net code that may generate false positive. filter is needed. references: - https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/ - https://tccontre.blogspot.com/2019/06/maicious-macro-that-compile-c-code-as.html @@ -73,7 +50,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/curl_download_and_bash_execution.yml b/detections/endpoint/curl_download_and_bash_execution.yml index b2d2486303..2ce7820ed7 100644 --- a/detections/endpoint/curl_download_and_bash_execution.yml +++ b/detections/endpoint/curl_download_and_bash_execution.yml @@ -18,12 +18,12 @@ references: - https://www.lunasec.io/docs/blog/log4j-zero-day/ - https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/delete_shadowcopy_with_powershell.yml b/detections/endpoint/delete_shadowcopy_with_powershell.yml index 66c6399613..4f3afdd08f 100644 --- a/detections/endpoint/delete_shadowcopy_with_powershell.yml +++ b/detections/endpoint/delete_shadowcopy_with_powershell.yml @@ -15,12 +15,12 @@ references: - https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations - https://www.techtarget.com/searchwindowsserver/tutorial/Set-up-PowerShell-script-block-logging-for-added-security drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/deleting_of_net_users.yml b/detections/endpoint/deleting_of_net_users.yml index 5c74644a8c..4607f1e1f6 100644 --- a/detections/endpoint/deleting_of_net_users.yml +++ b/detections/endpoint/deleting_of_net_users.yml @@ -16,12 +16,12 @@ known_false_positives: System administrators or scripts may delete user accounts references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/deleting_shadow_copies.yml b/detections/endpoint/deleting_shadow_copies.yml index ec13090141..69df45e726 100644 --- a/detections/endpoint/deleting_shadow_copies.yml +++ b/detections/endpoint/deleting_shadow_copies.yml @@ -16,12 +16,12 @@ known_false_positives: vssadmin.exe and wmic.exe are standard applications shipp references: - https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_azurehound_command_line_arguments.yml b/detections/endpoint/detect_azurehound_command_line_arguments.yml index ab7ba94cfd..20dbae6517 100644 --- a/detections/endpoint/detect_azurehound_command_line_arguments.yml +++ b/detections/endpoint/detect_azurehound_command_line_arguments.yml @@ -19,12 +19,12 @@ references: - https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350 - https://github.com/BloodHoundAD/Legacy-AzureHound.ps1/blob/master/AzureHound.ps1 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_azurehound_file_modifications.yml b/detections/endpoint/detect_azurehound_file_modifications.yml index e97950465d..da44e3a321 100644 --- a/detections/endpoint/detect_azurehound_file_modifications.yml +++ b/detections/endpoint/detect_azurehound_file_modifications.yml @@ -15,12 +15,12 @@ references: - https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350 - https://github.com/BloodHoundAD/Legacy-AzureHound.ps1/blob/master/AzureHound.ps1 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml b/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml index 2d1c9bf4b6..51473d194c 100644 --- a/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml +++ b/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml @@ -5,14 +5,10 @@ date: '2024-10-17' author: Shannon Davis, Splunk status: experimental type: TTP -description: |- - The following analytic detects attempts to exploit the Baron Samedit vulnerability (CVE-2021-3156) by identifying the use of the "sudoedit -s \\" command. This detection leverages logs from Linux systems, specifically searching for instances of the sudoedit command with the "-s" flag followed by a double quote. This activity is significant because it indicates an attempt to exploit a known vulnerability that allows attackers to gain root privileges. If confirmed malicious, this could lead to complete system compromise, unauthorized access to sensitive data, and potential data breaches. +description: The following analytic detects attempts to exploit the Baron Samedit vulnerability (CVE-2021-3156) by identifying the use of the "sudoedit -s \\" command. This detection leverages logs from Linux systems, specifically searching for instances of the sudoedit command with the "-s" flag followed by a double quote. This activity is significant because it indicates an attempt to exploit a known vulnerability that allows attackers to gain root privileges. If confirmed malicious, this could lead to complete system compromise, unauthorized access to sensitive data, and potential data breaches. data_source: [] search: '`linux_hosts` "sudoedit -s \\" | `detect_baron_samedit_cve_2021_3156_filter`' -how_to_implement: Splunk Universal Forwarder running on Linux systems, capturing logs - from the /var/log directory. The vulnerability is exposed when a non privledged - user tries passing in a single \ character at the end of the command while using - the shell and edit flags. +how_to_implement: Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags. known_false_positives: unknown references: [] tags: diff --git a/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml b/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml index 2c8463b82a..c27585e4f2 100644 --- a/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml +++ b/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml @@ -5,18 +5,11 @@ date: '2024-10-17' author: Shannon Davis, Splunk status: experimental type: TTP -description: |- - The following analytic identifies a heap-based buffer overflow in sudoedit by detecting Linux logs containing both "sudoedit" and "segfault" terms. This detection leverages Splunk to monitor for more than five occurrences of these terms on a single host within a specified timeframe. This activity is significant because exploiting this vulnerability (CVE-2021-3156) can allow attackers to gain root privileges, leading to potential system compromise, unauthorized access, and data breaches. If confirmed malicious, this could result in elevated privileges and full control over the affected system, posing a severe security risk. +description: The following analytic identifies a heap-based buffer overflow in sudoedit by detecting Linux logs containing both "sudoedit" and "segfault" terms. This detection leverages Splunk to monitor for more than five occurrences of these terms on a single host within a specified timeframe. This activity is significant because exploiting this vulnerability (CVE-2021-3156) can allow attackers to gain root privileges, leading to potential system compromise, unauthorized access, and data breaches. If confirmed malicious, this could result in elevated privileges and full control over the affected system, posing a severe security risk. data_source: [] -search: '`linux_hosts` TERM(sudoedit) TERM(segfault) | stats count min(_time) as firstTime - max(_time) as lastTime by host | where count > 5 | `detect_baron_samedit_cve_2021_3156_segfault_filter`' -how_to_implement: Splunk Universal Forwarder running on Linux systems (tested on Centos - and Ubuntu), where segfaults are being logged. This also captures instances where - the exploit has been compiled into a binary. The detection looks for greater than - 5 instances of sudoedit combined with segfault over your search time period on a - single host -known_false_positives: If sudoedit is throwing segfaults for other reasons this will - pick those up too. +search: '`linux_hosts` TERM(sudoedit) TERM(segfault) | stats count min(_time) as firstTime max(_time) as lastTime by host | where count > 5 | `detect_baron_samedit_cve_2021_3156_segfault_filter`' +how_to_implement: Splunk Universal Forwarder running on Linux systems (tested on Centos and Ubuntu), where segfaults are being logged. This also captures instances where the exploit has been compiled into a binary. The detection looks for greater than 5 instances of sudoedit combined with segfault over your search time period on a single host +known_false_positives: If sudoedit is throwing segfaults for other reasons this will pick those up too. references: [] tags: analytic_story: diff --git a/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml b/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml index cff933c177..0b9df268ba 100644 --- a/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml +++ b/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml @@ -5,20 +5,10 @@ date: '2024-10-17' author: Shannon Davis, Splunk status: experimental type: TTP -description: "The following analytic detects the execution of the \"sudoedit -s *\"\ - \ command, which is associated with the Baron Samedit CVE-2021-3156 heap-based buffer - overflow vulnerability. This detection leverages the `osquery_process` data source - to identify instances where this specific command is run. This activity is significant - because it indicates an attempt to exploit a known vulnerability that allows privilege - escalation. If confirmed malicious, an attacker could gain full control of the system, - execute arbitrary code, or access sensitive data, leading to potential data breaches - and system disruptions." +description: The following analytic detects the execution of the "sudoedit -s *" command, which is associated with the Baron Samedit CVE-2021-3156 heap-based buffer overflow vulnerability. This detection leverages the `osquery_process` data source to identify instances where this specific command is run. This activity is significant because it indicates an attempt to exploit a known vulnerability that allows privilege escalation. If confirmed malicious, an attacker could gain full control of the system, execute arbitrary code, or access sensitive data, leading to potential data breaches and system disruptions. data_source: [] search: '`osquery_process` | search "columns.cmdline"="sudoedit -s \\*" | `detect_baron_samedit_cve_2021_3156_via_osquery_filter`' -how_to_implement: OSQuery installed and configured to pick up process events (info - at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. - The vulnerability is exposed when a non privledged user tries passing in a single - \ character at the end of the command while using the shell and edit flags. +how_to_implement: OSQuery installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags. known_false_positives: unknown references: [] tags: diff --git a/detections/endpoint/detect_certify_command_line_arguments.yml b/detections/endpoint/detect_certify_command_line_arguments.yml index 6fb6688968..12a560f63f 100644 --- a/detections/endpoint/detect_certify_command_line_arguments.yml +++ b/detections/endpoint/detect_certify_command_line_arguments.yml @@ -18,12 +18,12 @@ references: - https://github.com/ly4k/Certipy - https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml b/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml index 24fd2c08fa..65a3d07315 100644 --- a/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml @@ -15,12 +15,12 @@ references: - https://github.com/GhostPack/Certify - https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_certipy_file_modifications.yml b/detections/endpoint/detect_certipy_file_modifications.yml index 085be5293b..80ff34e21c 100644 --- a/detections/endpoint/detect_certipy_file_modifications.yml +++ b/detections/endpoint/detect_certipy_file_modifications.yml @@ -14,12 +14,12 @@ known_false_positives: Unknown references: - https://github.com/ly4k/Certipy drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_computer_changed_with_anonymous_account.yml b/detections/endpoint/detect_computer_changed_with_anonymous_account.yml index bc859295f5..f1bdb3499a 100644 --- a/detections/endpoint/detect_computer_changed_with_anonymous_account.yml +++ b/detections/endpoint/detect_computer_changed_with_anonymous_account.yml @@ -5,25 +5,12 @@ date: '2024-10-17' author: Rod Soto, Jose Hernandez, Splunk status: experimental type: Hunting -description: The following analytic detects changes to computer accounts using an - anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) - and 4624 (Successful Logon) with the TargetUserName set to "ANONYMOUS LOGON" and - LogonType 3. This activity is significant because anonymous logons should not typically - be modifying computer accounts, indicating potential unauthorized access or misconfiguration. - If confirmed malicious, this could allow an attacker to alter computer accounts, - potentially leading to privilege escalation or persistent access within the network. +description: The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) and 4624 (Successful Logon) with the TargetUserName set to "ANONYMOUS LOGON" and LogonType 3. This activity is significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network. data_source: -- Windows Event Log Security 4624 +- Windows Event Log Security 4624 - Windows Event Log Security 4742 -search: '`wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName="ANONYMOUS - LOGON" LogonType=3 | stats count values(host) as host, values(TargetDomainName) - as Domain, values(user) as user | `detect_computer_changed_with_anonymous_account_filter`' -how_to_implement: This search requires audit computer account management to be enabled - on the system in order to generate Event ID 4742. We strongly recommend that you - specify your environment-specific configurations (index, source, sourcetype, etc.) - for Windows Event Logs. Replace the macro definition with configurations for your - Splunk environment. The search also uses a post-filter macro designed to filter - out known false positives. +search: '`wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName="ANONYMOUS LOGON" LogonType=3 | stats count values(host) as host, values(TargetDomainName) as Domain, values(user) as user | `detect_computer_changed_with_anonymous_account_filter`' +how_to_implement: This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. known_false_positives: None thus far found references: - https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/ @@ -35,9 +22,7 @@ tags: cve: - CVE-2020-1472 impact: 70 - message: The following $EventCode$ occurred on $dest$ by $user$ with Logon Type - 3, which may be indicative of the an account or group being changed by an anonymous - account. + message: The following $EventCode$ occurred on $dest$ by $user$ with Logon Type 3, which may be indicative of the an account or group being changed by an anonymous account. mitre_attack_id: - T1210 observable: diff --git a/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml b/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml index 6eb4319c42..9a66c3551e 100644 --- a/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml +++ b/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml @@ -16,12 +16,12 @@ references: - https://github.com/GossiTheDog/HiveNightmare - https://github.com/JumpsecLabs/Guidance-Advice/tree/main/SAM_Permissions drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml index c5b23bb208..8b388ea2a8 100644 --- a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml +++ b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml @@ -13,12 +13,12 @@ how_to_implement: This search needs Sysmon Logs and a sysmon configuration, whic known_false_positives: The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise. references: [] drilldown_searches: -- name: View the detection results for $dest$ and $TargetImage$ - search: '%original_detection_search% | search dest = $dest$ TargetImage = $TargetImage$' +- name: View the detection results for - "$dest$" and "$TargetImage$" + search: '%original_detection_search% | search dest = "$dest$" TargetImage = "$TargetImage$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $TargetImage$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $TargetImage$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$TargetImage$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$TargetImage$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml index b176c39e52..d0d4eb1e62 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -2,28 +2,31 @@ name: Detect Critical Alerts from Security Tools id: 483e8a68-f2f7-45be-8fc9-bf725f0e22fd version: 1 date: '2024-10-09' -author: Gowthamaraj Rajendran, Patrick Bareiss, Bhavin Patel, Splunk +author: Gowthamaraj Rajendran, Patrick Bareiss, Bhavin Patel, Bryan Pluta, Splunk status: production type: TTP data_source: - Windows Defender Alerts +- MS365 Defender Incident Alerts description: The following analytics is to detect high and critical alerts from endpoint security tools such as Microsoft Defender, Carbon Black, and Crowdstrike. This query aggregates and summarizes critical severity alerts from the Alerts data model, providing details such as the alert signature, application, description, source, destination, and timestamps, while applying custom filters and formatting for enhanced analysis in a SIEM environment.This capability allows security teams to efficiently allocate resources and maintain a strong security posture, while also supporting compliance with regulatory requirements by providing a clear record of critical security events. We tested these detections with logs from Microsoft Defender, however this detection should work for any security alerts that are ingested into the alerts data model. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.signature Alerts.app, Alerts.severity, Alerts.description, source, Alerts.id, Alerts.dest - | `drop_dm_object_name("Alerts")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `detect_critical_alerts_from_security_tools_filter`' -how_to_implement: In order to properly run this search, you to ingest alerts data from other security products such as Crowdstrike, Microsoft Defender, or Carbon Black using appropriate TAs for that technology. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Alerts.description) as description values(Alerts.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id values(Alerts.severity) as severity values(Alerts.type) as type values(Alerts.severity_id) as severity_id values(Alerts.signature) as signature values(Alerts.signature_id) as signature_id values(Alerts.dest) as dest from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.src Alerts.user Alerts.id Alerts.vendor sourcetype +| `drop_dm_object_name("Alerts")` +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| eval risk_score=case(severity="informational", 2, severity="low", 5, severity="medium", 10, severity="high", 50, severity="critical" , 100) | `detect_critical_alerts_from_security_tools_filter`' +how_to_implement: In order to properly run this search, you to ingest alerts data from other security products such as Crowdstrike, Microsoft Defender, or Carbon Black using appropriate TAs for that technology. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. The risk_score field is used to calculate the risk score for the alerts and the mitre_technique_id field is used to map the alerts to the MITRE ATT&CK framework is dynamically created by the detection when this is triggered. These fields need not be set in the adaptive response actions. known_false_positives: False positives may vary by endpoint protection tool; monitor and filter out the alerts that are not relevant to your environment. references: - - https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/accessing-microsoft-defender-for-cloud-alerts-in-splunk-using/ba-p/938228 - - https://docs.splunk.com/Documentation/CIM/5.3.2/User/Alerts - - https://learn.microsoft.com/en-us/defender-endpoint/api/raw-data-export-event-hub +- https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/accessing-microsoft-defender-for-cloud-alerts-in-splunk-using/ba-p/938228 +- https://docs.splunk.com/Documentation/CIM/5.3.2/User/Alerts +- https://learn.microsoft.com/en-us/defender-endpoint/api/raw-data-export-event-hub drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: @@ -31,12 +34,15 @@ tags: - Critical Alerts asset_type: Endpoint atomic_guid: [] - confidence: 90 - impact: 90 - message: $severity$ alert for $dest$ from $source$ - $signature$ - mitre_attack_id: - - T1484 + confidence: 50 + impact: 50 + message: $severity$ alert for $user$ from $sourcetype$ - $signature$ + mitre_attack_id: [] observable: + - name: user + type: User + role: + - Victim - name: dest type: Endpoint role: @@ -46,14 +52,28 @@ tags: - Splunk Enterprise Security - Splunk Cloud required_fields: - - _time - - app - - name - risk_score: 81 + - Alerts.description + - Alerts.mitre_technique_id + - Alerts.severity + - Alerts.type + - Alerts.severity_id + - Alerts.signature + - Alerts.dest + - Alerts.src + - Alerts.user + - Alerts.id + - Alerts.vendor + - sourcetype + risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/AdvancedHunting.log source: eventhub://windowsdefenderlogs - sourcetype: mscs:azure:eventhub:defender:advancedhunting \ No newline at end of file + sourcetype: mscs:azure:eventhub:defender:advancedhunting +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/defender_incident_alerts.log + source: m365_defender_incident_alerts + sourcetype: ms365:defender:incident:alerts \ No newline at end of file diff --git a/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml b/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml index 61635090dd..5e520b9525 100644 --- a/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml @@ -19,12 +19,12 @@ references: - https://github.com/BC-SECURITY/Empire - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html drilldown_searches: -- name: View the detection results for $UserID$ and $Computer$ - search: '%original_detection_search% | search UserID = $UserID$ Computer = $Computer$' +- name: View the detection results for - "$UserID$" and "$Computer$" + search: '%original_detection_search% | search UserID = "$UserID$" Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $UserID$ and $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($UserID$, $Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$UserID$" and "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$UserID$", "$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml b/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml index b582c036cc..485cb08fcc 100644 --- a/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml +++ b/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml @@ -16,12 +16,12 @@ how_to_implement: 'You must ingest your Windows security event logs in the `Chan known_false_positives: It's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts. references: [] drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_excessive_user_account_lockouts.yml b/detections/endpoint/detect_excessive_user_account_lockouts.yml index 17a2fab86e..86ab796ff4 100644 --- a/detections/endpoint/detect_excessive_user_account_lockouts.yml +++ b/detections/endpoint/detect_excessive_user_account_lockouts.yml @@ -12,12 +12,12 @@ how_to_implement: ou must ingest your Windows security event logs in the `Change known_false_positives: It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts. references: [] drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_exchange_web_shell.yml b/detections/endpoint/detect_exchange_web_shell.yml index 41010f884f..ed39d29d60 100644 --- a/detections/endpoint/detect_exchange_web_shell.yml +++ b/detections/endpoint/detect_exchange_web_shell.yml @@ -17,12 +17,12 @@ references: - https://www.youtube.com/watch?v=FC6iHw258RI - https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_html_help_renamed.yml b/detections/endpoint/detect_html_help_renamed.yml index 22dd5b4041..9fd38fef12 100644 --- a/detections/endpoint/detect_html_help_renamed.yml +++ b/detections/endpoint/detect_html_help_renamed.yml @@ -5,35 +5,14 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects instances where hh.exe (HTML Help) has - been renamed and is executing a Compiled HTML Help (CHM) file. This detection leverages - data from Endpoint Detection and Response (EDR) agents, focusing on process names - and original file names. This activity is significant because attackers can use - renamed hh.exe to execute malicious scripts embedded in CHM files, potentially leading - to code execution. If confirmed malicious, this technique could allow attackers - to run arbitrary scripts, escalate privileges, or persist within the environment, - posing a significant security risk. +description: The following analytic detects instances where hh.exe (HTML Help) has been renamed and is executing a Compiled HTML Help (CHM) file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. This activity is significant because attackers can use renamed hh.exe to execute malicious scripts embedded in CHM files, potentially leading to code execution. If confirmed malicious, this technique could allow attackers to run arbitrary scripts, escalate privileges, or persist within the environment, posing a significant security risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=hh.exe - AND Processes.original_file_name=HH.EXE by Processes.dest Processes.user Processes.parent_process_name - Processes.original_file_name Processes.process_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `detect_html_help_renamed_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Although unlikely a renamed instance of hh.exe will be used - legitimately, filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=hh.exe AND Processes.original_file_name=HH.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_renamed_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed. references: - https://attack.mitre.org/techniques/T1218/001/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md @@ -45,8 +24,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: The following $process_name$ has been identified as renamed, spawning from - $parent_process_name$ on $dest$ executed by $user$ + message: The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ executed by $user$ mitre_attack_id: - T1218 - T1218.001 @@ -89,7 +67,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_html_help_spawn_child_process.yml b/detections/endpoint/detect_html_help_spawn_child_process.yml index 9547c7a70f..53b7bb5919 100644 --- a/detections/endpoint/detect_html_help_spawn_child_process.yml +++ b/detections/endpoint/detect_html_help_spawn_child_process.yml @@ -20,12 +20,12 @@ references: - https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7 - https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_html_help_url_in_command_line.yml b/detections/endpoint/detect_html_help_url_in_command_line.yml index da03b33b9e..6d2fe4dc48 100644 --- a/detections/endpoint/detect_html_help_url_in_command_line.yml +++ b/detections/endpoint/detect_html_help_url_in_command_line.yml @@ -21,12 +21,12 @@ references: - https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7 - https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml index 12a33da5bf..faf70867f4 100644 --- a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml +++ b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml @@ -21,12 +21,12 @@ references: - https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7 - https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml b/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml index d254b0519d..49332f4d4f 100644 --- a/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml @@ -18,12 +18,12 @@ references: - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html drilldown_searches: -- name: View the detection results for $UserID$ and $Computer$ - search: '%original_detection_search% | search UserID = $UserID$ Computer = $Computer$' +- name: View the detection results for - "$UserID$" and "$Computer$" + search: '%original_detection_search% | search UserID = "$UserID$" Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $UserID$ and $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($UserID$, $Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$UserID$" and "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$UserID$", "$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_mshta_inline_hta_execution.yml b/detections/endpoint/detect_mshta_inline_hta_execution.yml index 30c40fc43f..5e2519388b 100644 --- a/detections/endpoint/detect_mshta_inline_hta_execution.yml +++ b/detections/endpoint/detect_mshta_inline_hta_execution.yml @@ -18,12 +18,12 @@ references: - https://redcanary.com/blog/introducing-atomictestharnesses/ - https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_mshta_renamed.yml b/detections/endpoint/detect_mshta_renamed.yml index 73ce8da523..ba279d868f 100644 --- a/detections/endpoint/detect_mshta_renamed.yml +++ b/detections/endpoint/detect_mshta_renamed.yml @@ -5,34 +5,14 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies instances where mshta.exe has been - renamed and executed. It leverages Endpoint Detection and Response (EDR) data, specifically - focusing on the original file name field to detect discrepancies. This activity - is significant because renaming mshta.exe is a common tactic used by attackers to - evade detection and execute malicious scripts. If confirmed malicious, this could - allow an attacker to execute arbitrary code, potentially leading to system compromise, - data exfiltration, or further lateral movement within the network. +description: The following analytic identifies instances where mshta.exe has been renamed and executed. It leverages Endpoint Detection and Response (EDR) data, specifically focusing on the original file name field to detect discrepancies. This activity is significant because renaming mshta.exe is a common tactic used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=mshta.exe - AND Processes.original_file_name=MSHTA.EXE by Processes.dest Processes.user Processes.parent_process_name - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `detect_mshta_renamed_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Although unlikely, some legitimate applications may use a moved - copy of mshta.exe, but never renamed, triggering a false positive. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=mshta.exe AND Processes.original_file_name=MSHTA.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mshta_renamed_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive. references: - https://github.com/redcanaryco/AtomicTestHarnesses - https://redcanary.com/blog/introducing-atomictestharnesses/ @@ -43,8 +23,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: The following $process_name$ has been identified as renamed, spawning from - $parent_process_name$ on $dest$ executed by user $user$ + message: The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ executed by user $user$ mitre_attack_id: - T1218 - T1218.005 @@ -87,7 +66,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_mshta_url_in_command_line.yml b/detections/endpoint/detect_mshta_url_in_command_line.yml index c23c1efc57..c1d180fb47 100644 --- a/detections/endpoint/detect_mshta_url_in_command_line.yml +++ b/detections/endpoint/detect_mshta_url_in_command_line.yml @@ -18,12 +18,12 @@ references: - https://redcanary.com/blog/introducing-atomictestharnesses/ - https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_new_local_admin_account.yml b/detections/endpoint/detect_new_local_admin_account.yml index f883ed785c..a750e8d17e 100644 --- a/detections/endpoint/detect_new_local_admin_account.yml +++ b/detections/endpoint/detect_new_local_admin_account.yml @@ -14,12 +14,12 @@ how_to_implement: You must be ingesting Windows event logs using the Splunk Wind known_false_positives: The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not "Administrators", this search may generate an excessive number of false positives references: [] drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml index 1aefd278e3..1ed6fce70a 100644 --- a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml +++ b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml @@ -5,36 +5,12 @@ date: '2024-10-17' author: Bhavin Patel, Splunk status: experimental type: TTP -description: The following analytic identifies the execution of `outlook.exe` writing - a `.zip` file to the disk. It leverages data from the Endpoint data model, specifically - monitoring process and filesystem activities. This behavior is significant as it - may indicate the use of Outlook to deliver malicious payloads or exfiltrate data - via compressed files. If confirmed malicious, this activity could lead to unauthorized - data access, data exfiltration, or the delivery of malware, potentially compromising - the security of the affected system and network. +description: The following analytic identifies the execution of `outlook.exe` writing a `.zip` file to the disk. It leverages data from the Endpoint data model, specifically monitoring process and filesystem activities. This behavior is significant as it may indicate the use of Outlook to deliver malicious payloads or exfiltrate data via compressed files. If confirmed malicious, this activity could lead to unauthorized data access, data exfiltration, or the delivery of malware, potentially compromising the security of the affected system and network. data_source: - Sysmon EventID 1 AND Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe - by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest - Processes.process_name Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename - process_id as malicious_id| rename parent_process_id as outlook_id| join malicious_id - type=inner[| tstats `security_content_summariesonly` count values(Filesystem.file_path) - as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem - where (Filesystem.file_path=*.zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\Users* - OR Filesystem.file_path=*Local\\Temp*) by _time span=5m Filesystem.process_id Filesystem.file_hash - Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | rename process_id as malicious_id| fields - malicious_id outlook_id dest file_path file_name file_hash count file_id] | table - firstTime lastTime user malicious_id outlook_id process_name parent_process_name - file_name file_path | where file_name != "" | `detect_outlook_exe_writing_a_zip_file_filter`' -how_to_implement: You must be ingesting data that records filesystem and process activity - from your hosts to populate the Endpoint data model. This is typically populated - via endpoint detection-and-response product, such as Carbon Black, or endpoint data - sources, such as Sysmon. -known_false_positives: It is not uncommon for outlook to write legitimate zip files - to the disk. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest Processes.process_name Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| rename parent_process_id as outlook_id| join malicious_id type=inner[| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*.zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\Users* OR Filesystem.file_path=*Local\\Temp*) by _time span=5m Filesystem.process_id Filesystem.file_hash Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| fields malicious_id outlook_id dest file_path file_name file_hash count file_id] | table firstTime lastTime user malicious_id outlook_id process_name parent_process_name file_name file_path | where file_name != "" | `detect_outlook_exe_writing_a_zip_file_filter`' +how_to_implement: You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. +known_false_positives: It is not uncommon for outlook to write legitimate zip files to the disk. references: [] tags: analytic_story: diff --git a/detections/endpoint/detect_password_spray_attack_behavior_from_source.yml b/detections/endpoint/detect_password_spray_attack_behavior_from_source.yml index 27d2067681..1271d4052c 100644 --- a/detections/endpoint/detect_password_spray_attack_behavior_from_source.yml +++ b/detections/endpoint/detect_password_spray_attack_behavior_from_source.yml @@ -16,12 +16,12 @@ references: - https://www.microsoft.com/en-us/security/blog/2020/04/23/protecting-organization-password-spray-attacks/ - https://github.com/MarkoH17/Spray365 drilldown_searches: -- name: View the detection results for $src$ and $user$ - search: '%original_detection_search% | search src = $src$ user = $user$' +- name: View the detection results for - "$src$" and "$user$" + search: '%original_detection_search% | search src = "$src$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml b/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml index 68a8c9dd08..a191014ffd 100644 --- a/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml +++ b/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml @@ -16,12 +16,12 @@ references: - https://www.microsoft.com/en-us/security/blog/2020/04/23/protecting-organization-password-spray-attacks/ - https://github.com/MarkoH17/Spray365 drilldown_searches: -- name: View the detection results for $src$ and $user$ - search: '%original_detection_search% | search src = $src$ user = $user$' +- name: View the detection results for - "$src$" and "$user$" + search: '%original_detection_search% | search src = "$src$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml index 8aa55757c9..79ce69dd82 100644 --- a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml +++ b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml b/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml index dff7775fe4..41d03ad4f5 100644 --- a/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml +++ b/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml @@ -15,12 +15,12 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: It is uncommon for normal users to execute a series of commands used for network discovery. System administrators often use scripts to execute these commands. These can generate false positives. references: [] drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml b/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml index 1b3487394b..c2fac6c038 100644 --- a/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml +++ b/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml @@ -5,36 +5,14 @@ date: '2024-10-17' author: Bhavin Patel, Splunk status: production type: Hunting -description: The following analytic detects executions of cmd.exe spawned by processes - that are commonly abused by attackers and do not typically launch cmd.exe. It leverages - data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, - process name, parent process, and command-line executions. This activity is significant - because it may indicate an attempt to execute unauthorized commands or scripts, - often a precursor to further malicious actions. If confirmed malicious, this behavior - could lead to unauthorized code execution, privilege escalation, or persistence - within the environment. +description: The following analytic detects executions of cmd.exe spawned by processes that are commonly abused by attackers and do not typically launch cmd.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, process name, parent process, and command-line executions. This activity is significant because it may indicate an attempt to execute unauthorized commands or scripts, often a precursor to further malicious actions. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process) - as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where `process_cmd` by Processes.parent_process_name Processes.process_name Processes.original_file_name - Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd_macro`] - | `detect_prohibited_applications_spawning_cmd_exe_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: There are circumstances where an application may legitimately - execute and interact with the Windows command-line interface. Investigate and modify - the lookup file, as appropriate. +search: '| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd_macro`] | `detect_prohibited_applications_spawning_cmd_exe_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate. references: [] tags: analytic_story: @@ -45,8 +23,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ running prohibited applications. + message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running prohibited applications. mitre_attack_id: - T1059 - T1059.003 @@ -89,7 +66,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_psexec_with_accepteula_flag.yml b/detections/endpoint/detect_psexec_with_accepteula_flag.yml index a2b82e3b59..428e2951a6 100644 --- a/detections/endpoint/detect_psexec_with_accepteula_flag.yml +++ b/detections/endpoint/detect_psexec_with_accepteula_flag.yml @@ -16,12 +16,12 @@ known_false_positives: Administrators can leverage PsExec for accessing remote s references: - https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_rare_executables.yml b/detections/endpoint/detect_rare_executables.yml index 24c8c0a3af..fe2493587a 100644 --- a/detections/endpoint/detect_rare_executables.yml +++ b/detections/endpoint/detect_rare_executables.yml @@ -15,12 +15,12 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: Some legitimate processes may be only rarely executed in your environment. references: [] drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_rclone_command_line_usage.yml b/detections/endpoint/detect_rclone_command_line_usage.yml index a50d99a5a9..5979ea5d23 100644 --- a/detections/endpoint/detect_rclone_command_line_usage.yml +++ b/detections/endpoint/detect_rclone_command_line_usage.yml @@ -19,12 +19,12 @@ references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_regasm_spawning_a_process.yml b/detections/endpoint/detect_regasm_spawning_a_process.yml index 1a07592a8a..c041600a65 100644 --- a/detections/endpoint/detect_regasm_spawning_a_process.yml +++ b/detections/endpoint/detect_regasm_spawning_a_process.yml @@ -19,12 +19,12 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/ - https://lolbas-project.github.io/lolbas/Binaries/Regasm/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_regasm_with_network_connection.yml b/detections/endpoint/detect_regasm_with_network_connection.yml index c25a50564b..2658456753 100644 --- a/detections/endpoint/detect_regasm_with_network_connection.yml +++ b/detections/endpoint/detect_regasm_with_network_connection.yml @@ -16,12 +16,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md - https://lolbas-project.github.io/lolbas/Binaries/Regasm/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml index 1ff68a4385..f8ee2864df 100644 --- a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml @@ -18,12 +18,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md - https://lolbas-project.github.io/lolbas/Binaries/Regasm/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_regsvcs_spawning_a_process.yml b/detections/endpoint/detect_regsvcs_spawning_a_process.yml index 91797aab41..a5b2b58b98 100644 --- a/detections/endpoint/detect_regsvcs_spawning_a_process.yml +++ b/detections/endpoint/detect_regsvcs_spawning_a_process.yml @@ -18,12 +18,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md - https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_regsvcs_with_network_connection.yml b/detections/endpoint/detect_regsvcs_with_network_connection.yml index adaf1cabc6..b25b50322a 100644 --- a/detections/endpoint/detect_regsvcs_with_network_connection.yml +++ b/detections/endpoint/detect_regsvcs_with_network_connection.yml @@ -16,12 +16,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md - https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml index 1c962a2418..7d6e9eb3bd 100644 --- a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml @@ -18,12 +18,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md - https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_regsvr32_application_control_bypass.yml b/detections/endpoint/detect_regsvr32_application_control_bypass.yml index cca6c80a67..c8f572716c 100644 --- a/detections/endpoint/detect_regsvr32_application_control_bypass.yml +++ b/detections/endpoint/detect_regsvr32_application_control_bypass.yml @@ -19,12 +19,12 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/ - https://support.microsoft.com/en-us/topic/how-to-use-the-regsvr32-tool-and-troubleshoot-regsvr32-error-messages-a98d960a-7392-e6fe-d90a-3f4e0cb543e5 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_remote_access_software_usage_file.yml b/detections/endpoint/detect_remote_access_software_usage_file.yml index c6888dfa7b..cc60690ec0 100644 --- a/detections/endpoint/detect_remote_access_software_usage_file.yml +++ b/detections/endpoint/detect_remote_access_software_usage_file.yml @@ -16,12 +16,12 @@ references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml index f18ed2ccb4..6287e78971 100644 --- a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml +++ b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml @@ -18,12 +18,12 @@ references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml index 7db3b00dc2..1f729d3002 100644 --- a/detections/endpoint/detect_remote_access_software_usage_process.yml +++ b/detections/endpoint/detect_remote_access_software_usage_process.yml @@ -18,12 +18,12 @@ references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_renamed_7_zip.yml b/detections/endpoint/detect_renamed_7_zip.yml index b193bb11b3..4c504d26b6 100644 --- a/detections/endpoint/detect_renamed_7_zip.yml +++ b/detections/endpoint/detect_renamed_7_zip.yml @@ -5,36 +5,14 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the usage of a renamed 7-Zip executable - using Sysmon data. It leverages the OriginalFileName field to identify instances - where the 7-Zip process has been renamed. This activity is significant as attackers - often rename legitimate tools to evade detection while staging or exfiltrating data. - If confirmed malicious, this behavior could indicate data exfiltration attempts - or other unauthorized data manipulation, potentially leading to significant data - breaches or loss of sensitive information. Analysts should validate the legitimacy - of the 7-Zip executable and investigate parallel processes for further suspicious - activities. +description: The following analytic detects the usage of a renamed 7-Zip executable using Sysmon data. It leverages the OriginalFileName field to identify instances where the 7-Zip process has been renamed. This activity is significant as attackers often rename legitimate tools to evade detection while staging or exfiltrating data. If confirmed malicious, this behavior could indicate data exfiltration attempts or other unauthorized data manipulation, potentially leading to significant data breaches or loss of sensitive information. Analysts should validate the legitimacy of the 7-Zip executable and investigate parallel processes for further suspicious activities. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=7z*.exe - AND Processes.process_name!=7z*.exe) by Processes.dest Processes.user Processes.parent_process_name - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `detect_renamed_7_zip_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Limited false positives, however this analytic will need to - be modified for each environment if Sysmon is not used. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=7z*.exe AND Processes.process_name!=7z*.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_7_zip_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Limited false positives, however this analytic will need to be modified for each environment if Sysmon is not used. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md tags: @@ -43,8 +21,7 @@ tags: asset_type: Endpoint confidence: 90 impact: 30 - message: The following $process_name$ has been identified as renamed, spawning from - $parent_process_name$ on $dest$ by $user$. + message: The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$. mitre_attack_id: - T1560.001 - T1560 @@ -87,7 +64,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_renamed_psexec.yml b/detections/endpoint/detect_renamed_psexec.yml index b7251b5978..fa2d687c66 100644 --- a/detections/endpoint/detect_renamed_psexec.yml +++ b/detections/endpoint/detect_renamed_psexec.yml @@ -5,35 +5,14 @@ date: '2024-10-17' author: Michael Haag, Splunk, Alex Oberkircher, Github Community status: production type: Hunting -description: The following analytic identifies instances where `PsExec.exe` has been - renamed and executed on an endpoint. It leverages data from Endpoint Detection and - Response (EDR) agents, focusing on process names and original file names. This activity - is significant because renaming `PsExec.exe` is a common tactic to evade detection. - If confirmed malicious, this could allow an attacker to execute commands remotely, - potentially leading to unauthorized access, lateral movement, or further compromise - of the network. +description: The following analytic identifies instances where `PsExec.exe` has been renamed and executed on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. This activity is significant because renaming `PsExec.exe` is a common tactic to evade detection. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access, lateral movement, or further compromise of the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name!=psexec.exe - AND Processes.process_name!=psexec64.exe) AND Processes.original_file_name=psexec.c - by Processes.dest Processes.user Processes.parent_process_name Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `detect_renamed_psexec_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Limited false positives should be present. It is possible some - third party applications may use older versions of PsExec, filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name!=psexec.exe AND Processes.process_name!=psexec64.exe) AND Processes.original_file_name=psexec.c by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_psexec_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Limited false positives should be present. It is possible some third party applications may use older versions of PsExec, filter as needed. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.yaml - https://redcanary.com/blog/threat-hunting-psexec-lateral-movement/ @@ -52,8 +31,7 @@ tags: asset_type: Endpoint confidence: 90 impact: 30 - message: The following $process_name$ has been identified as renamed, spawning from - $parent_process_name$ on $dest$ by $user$. + message: The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$. mitre_attack_id: - T1569 - T1569.002 @@ -96,7 +74,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_renamed_rclone.yml b/detections/endpoint/detect_renamed_rclone.yml index 7fbfb091f1..0d40c44f97 100644 --- a/detections/endpoint/detect_renamed_rclone.yml +++ b/detections/endpoint/detect_renamed_rclone.yml @@ -5,35 +5,14 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the execution of a renamed `rclone.exe` - process, which is commonly used for data exfiltration to remote destinations. This - detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on - process names and original file names that do not match. This activity is significant - because ransomware groups often use RClone to exfiltrate sensitive data. If confirmed - malicious, this behavior could indicate an ongoing data exfiltration attempt, potentially - leading to significant data loss and further compromise of the affected systems. +description: The following analytic detects the execution of a renamed `rclone.exe` process, which is commonly used for data exfiltration to remote destinations. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and original file names that do not match. This activity is significant because ransomware groups often use RClone to exfiltrate sensitive data. If confirmed malicious, this behavior could indicate an ongoing data exfiltration attempt, potentially leading to significant data loss and further compromise of the affected systems. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=rclone.exe - AND Processes.process_name!=rclone.exe) by Processes.dest Processes.user Processes.parent_process_name - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `detect_renamed_rclone_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: False positives should be limited as this analytic identifies - renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business - use case. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=rclone.exe AND Processes.process_name!=rclone.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_rclone_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives should be limited as this analytic identifies renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business use case. references: - https://redcanary.com/blog/rclone-mega-extortion/ - https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations @@ -45,8 +24,7 @@ tags: asset_type: Endpoint confidence: 90 impact: 30 - message: The following $process_name$ has been identified as renamed, spawning from - $parent_process_name$ on $dest$ by $user$. + message: The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$. mitre_attack_id: - T1020 observable: @@ -88,7 +66,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_renamed_winrar.yml b/detections/endpoint/detect_renamed_winrar.yml index dd1d261060..5a12ffbe14 100644 --- a/detections/endpoint/detect_renamed_winrar.yml +++ b/detections/endpoint/detect_renamed_winrar.yml @@ -5,35 +5,14 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies instances where `WinRAR.exe` has been - renamed and executed. It leverages data from Endpoint Detection and Response (EDR) - agents, focusing on process names and original file names within the Endpoint data - model. This activity is significant because renaming executables is a common tactic - used by attackers to evade detection. If confirmed malicious, this could indicate - an attempt to bypass security controls, potentially leading to unauthorized data - extraction or further system compromise. +description: The following analytic identifies instances where `WinRAR.exe` has been renamed and executed. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names within the Endpoint data model. This activity is significant because renaming executables is a common tactic used by attackers to evade detection. If confirmed malicious, this could indicate an attempt to bypass security controls, potentially leading to unauthorized data extraction or further system compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=WinRAR.exe - (Processes.process_name!=rar.exe OR Processes.process_name!=winrar.exe) by Processes.dest - Processes.user Processes.parent_process_name Processes.process_name Processes.process - Processes.process_id Processes.parent_process_id Processes.original_file_name | - `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `detect_renamed_winrar_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Unknown. It is possible third party applications use renamed - instances of WinRAR. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=WinRAR.exe (Processes.process_name!=rar.exe OR Processes.process_name!=winrar.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_winrar_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Unknown. It is possible third party applications use renamed instances of WinRAR. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md tags: @@ -43,8 +22,7 @@ tags: asset_type: Endpoint confidence: 90 impact: 30 - message: The following $process_name$ has been identified as renamed, spawning from - $parent_process_name$ on $dest$ by $user$. + message: The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$. mitre_attack_id: - T1560.001 - T1560 @@ -87,7 +65,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_rtlo_in_file_name.yml b/detections/endpoint/detect_rtlo_in_file_name.yml index 173dcf4cfd..6409c49384 100644 --- a/detections/endpoint/detect_rtlo_in_file_name.yml +++ b/detections/endpoint/detect_rtlo_in_file_name.yml @@ -16,12 +16,12 @@ references: - https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/ - https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_rtlo_in_process.yml b/detections/endpoint/detect_rtlo_in_process.yml index be6a1364a6..8cff62a534 100644 --- a/detections/endpoint/detect_rtlo_in_process.yml +++ b/detections/endpoint/detect_rtlo_in_process.yml @@ -18,12 +18,12 @@ references: - https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/ - https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml index d632b5b1d7..4ab52981ad 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml @@ -20,12 +20,12 @@ references: - https://lolbas-project.github.io/lolbas/Libraries/Advpack/ - https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml index 411cdc67fc..0b99c228fb 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml @@ -20,12 +20,12 @@ references: - https://lolbas-project.github.io/lolbas/Libraries/Setupapi/ - https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml index 8b0d328e26..f5110c0e08 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml @@ -20,12 +20,12 @@ references: - https://lolbas-project.github.io/lolbas/Libraries/Syssetup/ - https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_rundll32_inline_hta_execution.yml b/detections/endpoint/detect_rundll32_inline_hta_execution.yml index b72707072b..37d7b3b5be 100644 --- a/detections/endpoint/detect_rundll32_inline_hta_execution.yml +++ b/detections/endpoint/detect_rundll32_inline_hta_execution.yml @@ -18,12 +18,12 @@ references: - https://redcanary.com/blog/introducing-atomictestharnesses/ - https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_sharphound_command_line_arguments.yml b/detections/endpoint/detect_sharphound_command_line_arguments.yml index bf588ec8d8..e3f2ad27dd 100644 --- a/detections/endpoint/detect_sharphound_command_line_arguments.yml +++ b/detections/endpoint/detect_sharphound_command_line_arguments.yml @@ -20,12 +20,12 @@ references: - https://github.com/BloodHoundAD/SharpHound3 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_sharphound_file_modifications.yml b/detections/endpoint/detect_sharphound_file_modifications.yml index c6149206df..71d0dc3adc 100644 --- a/detections/endpoint/detect_sharphound_file_modifications.yml +++ b/detections/endpoint/detect_sharphound_file_modifications.yml @@ -18,12 +18,12 @@ references: - https://github.com/BloodHoundAD/SharpHound3 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_sharphound_usage.yml b/detections/endpoint/detect_sharphound_usage.yml index 7a2221dac1..ee91afac98 100644 --- a/detections/endpoint/detect_sharphound_usage.yml +++ b/detections/endpoint/detect_sharphound_usage.yml @@ -20,12 +20,12 @@ references: - https://github.com/BloodHoundAD/SharpHound3 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml index af0c756f2a..c8b65b0af1 100644 --- a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml +++ b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml @@ -7,33 +7,10 @@ type: Anomaly status: experimental data_source: - Sysmon EventID 1 -description: The following analytic identifies suspicious process names using a pre-trained - Deep Learning model. It leverages Endpoint Detection and Response (EDR) telemetry - to analyze process names and predict their likelihood of being malicious. The model, - a character-level Recurrent Neural Network (RNN), classifies process names as benign - or suspicious based on a threshold score of 0.5. This detection is significant as - it helps identify malware, such as TrickBot, which often uses randomly generated - filenames to evade detection. If confirmed malicious, this activity could indicate - the presence of malware capable of propagating across the network and executing - harmful actions. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes by Processes.process_name Processes.parent_process_name - Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` - | rename process_name as text | fields text, parent_process_name, process, user, - dest | apply detect_suspicious_processnames_using_pretrained_model_in_dsdl | rename - predicted_label as is_suspicious_score | rename text as process_name | where is_suspicious_score - > 0.5 | `detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: False positives may be present if a suspicious processname - is similar to a benign processname. +description: The following analytic identifies suspicious process names using a pre-trained Deep Learning model. It leverages Endpoint Detection and Response (EDR) telemetry to analyze process names and predict their likelihood of being malicious. The model, a character-level Recurrent Neural Network (RNN), classifies process names as benign or suspicious based on a threshold score of 0.5. This detection is significant as it helps identify malware, such as TrickBot, which often uses randomly generated filenames to evade detection. If confirmed malicious, this activity could indicate the presence of malware capable of propagating across the network and executing harmful actions. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name Processes.parent_process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` | rename process_name as text | fields text, parent_process_name, process, user, dest | apply detect_suspicious_processnames_using_pretrained_model_in_dsdl | rename predicted_label as is_suspicious_score | rename text as process_name | where is_suspicious_score > 0.5 | `detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives may be present if a suspicious processname is similar to a benign processname. references: - https://www.cisa.gov/uscert/ncas/alerts/aa20-302a - https://www.splunk.com/en_us/blog/security/random-words-on-entropy-and-dns.html @@ -46,8 +23,7 @@ tags: - Source:Endpoint - Stage:Execution impact: 50 - message: The process $process$ is running from an unusual place by $user$ on $dest$ - with a processname that appears to be randomly generated. + message: The process $process$ is running from an unusual place by $user$ on $dest$ with a processname that appears to be randomly generated. mitre_attack_id: - T1059 observable: diff --git a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml index f637a87ea4..ba0c6da771 100644 --- a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml +++ b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1059/ - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_webshell_exploit_behavior.yml b/detections/endpoint/detect_webshell_exploit_behavior.yml index 463488a75d..a0091101de 100644 --- a/detections/endpoint/detect_webshell_exploit_behavior.yml +++ b/detections/endpoint/detect_webshell_exploit_behavior.yml @@ -18,12 +18,12 @@ references: - https://github.com/nsacyber/Mitigating-Web-Shells - https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detect_wmi_event_subscription_persistence.yml b/detections/endpoint/detect_wmi_event_subscription_persistence.yml index 7c8bf060f8..2f44aa56a1 100644 --- a/detections/endpoint/detect_wmi_event_subscription_persistence.yml +++ b/detections/endpoint/detect_wmi_event_subscription_persistence.yml @@ -17,12 +17,12 @@ references: - https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md - https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml index 9fb84835eb..82c62dec44 100644 --- a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml +++ b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml @@ -5,34 +5,14 @@ date: '2024-10-17' author: Bhavin Patel, Splunk status: experimental type: TTP -description: The following analytic identifies the execution of tools built by NirSoft - by detecting specific command-line arguments such as "/stext" and "/scomma". It - leverages data from Endpoint Detection and Response (EDR) agents, focusing on process - names, parent processes, and command-line executions. This activity is significant - because NirSoft tools, while legitimate, can be exploited by attackers for malicious - purposes such as credential theft or system reconnaissance. If confirmed malicious, - this activity could lead to unauthorized access, data exfiltration, or further compromise - of the affected system. +description: The following analytic identifies the execution of tools built by NirSoft by detecting specific command-line arguments such as "/stext" and "/scomma". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because NirSoft tools, while legitimate, can be exploited by attackers for malicious purposes such as credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further compromise of the affected system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) values(Processes.process) - as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="* - /stext *" OR Processes.process="* /scomma *" ) by Processes.parent_process Processes.process_name - Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - |`security_content_ctime(lastTime)` | `detection_of_tools_built_by_nirsoft_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: While legitimate, these NirSoft tools are prone to abuse. You - should verfiy that the tool was used for a legitimate purpose. +search: '| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="* /stext *" OR Processes.process="* /scomma *" ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detection_of_tools_built_by_nirsoft_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: While legitimate, these NirSoft tools are prone to abuse. You should verfiy that the tool was used for a legitimate purpose. references: [] tags: analytic_story: diff --git a/detections/endpoint/disable_amsi_through_registry.yml b/detections/endpoint/disable_amsi_through_registry.yml index 0dd0ad25a3..cd38605bed 100644 --- a/detections/endpoint/disable_amsi_through_registry.yml +++ b/detections/endpoint/disable_amsi_through_registry.yml @@ -16,12 +16,12 @@ references: - https://blog.f-secure.com/hunting-for-amsi-bypasses/ - https://gist.github.com/rxwx/8955e5abf18dc258fd6b43a3a7f4dbf9 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml index c75dcdc06b..7646711d53 100644 --- a/detections/endpoint/disable_defender_antivirus_registry.yml +++ b/detections/endpoint/disable_defender_antivirus_registry.yml @@ -15,12 +15,12 @@ known_false_positives: admin or user may choose to disable windows defender prod references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml index 0e51b9afd9..658391eb17 100644 --- a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml +++ b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml @@ -15,12 +15,12 @@ known_false_positives: admin or user may choose to disable windows defender prod references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disable_defender_enhanced_notification.yml b/detections/endpoint/disable_defender_enhanced_notification.yml index 4b9411a509..b53d37ba33 100644 --- a/detections/endpoint/disable_defender_enhanced_notification.yml +++ b/detections/endpoint/disable_defender_enhanced_notification.yml @@ -15,12 +15,12 @@ known_false_positives: user may choose to disable windows defender AV references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disable_defender_mpengine_registry.yml b/detections/endpoint/disable_defender_mpengine_registry.yml index 3224ea06ba..9f70961a03 100644 --- a/detections/endpoint/disable_defender_mpengine_registry.yml +++ b/detections/endpoint/disable_defender_mpengine_registry.yml @@ -15,12 +15,12 @@ known_false_positives: admin or user may choose to disable windows defender prod references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disable_defender_spynet_reporting.yml b/detections/endpoint/disable_defender_spynet_reporting.yml index cbf0ca88dd..59737c29ae 100644 --- a/detections/endpoint/disable_defender_spynet_reporting.yml +++ b/detections/endpoint/disable_defender_spynet_reporting.yml @@ -15,12 +15,12 @@ known_false_positives: admin or user may choose to disable windows defender prod references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml index b0ff60c07d..fe796df3bd 100644 --- a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml +++ b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml @@ -15,12 +15,12 @@ known_false_positives: admin or user may choose to disable windows defender prod references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disable_etw_through_registry.yml b/detections/endpoint/disable_etw_through_registry.yml index 23ebab4dc6..cfe22cc92a 100644 --- a/detections/endpoint/disable_etw_through_registry.yml +++ b/detections/endpoint/disable_etw_through_registry.yml @@ -15,12 +15,12 @@ known_false_positives: network operator may disable this feature of windows but references: - https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disable_logs_using_wevtutil.yml b/detections/endpoint/disable_logs_using_wevtutil.yml index 860e0a16a6..929f47e34d 100644 --- a/detections/endpoint/disable_logs_using_wevtutil.yml +++ b/detections/endpoint/disable_logs_using_wevtutil.yml @@ -16,12 +16,12 @@ known_false_positives: network operator may disable audit event logs for debuggi references: - https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disable_registry_tool.yml b/detections/endpoint/disable_registry_tool.yml index 7e3bdf90e9..2b6549ce50 100644 --- a/detections/endpoint/disable_registry_tool.yml +++ b/detections/endpoint/disable_registry_tool.yml @@ -15,12 +15,12 @@ known_false_positives: admin may disable this application for non technical user references: - https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disable_schedule_task.yml b/detections/endpoint/disable_schedule_task.yml index bc1fc33fbd..e9eb199b1b 100644 --- a/detections/endpoint/disable_schedule_task.yml +++ b/detections/endpoint/disable_schedule_task.yml @@ -16,12 +16,12 @@ known_false_positives: admin may disable problematic schedule task references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disable_security_logs_using_minint_registry.yml b/detections/endpoint/disable_security_logs_using_minint_registry.yml index f116fba37c..0393bb0b30 100644 --- a/detections/endpoint/disable_security_logs_using_minint_registry.yml +++ b/detections/endpoint/disable_security_logs_using_minint_registry.yml @@ -15,12 +15,12 @@ known_false_positives: Unknown. references: - https://twitter.com/0gtweet/status/1182516740955226112 drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disable_show_hidden_files.yml b/detections/endpoint/disable_show_hidden_files.yml index ba00c6ee77..115452823a 100644 --- a/detections/endpoint/disable_show_hidden_files.yml +++ b/detections/endpoint/disable_show_hidden_files.yml @@ -15,12 +15,12 @@ known_false_positives: unknown references: - https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disable_uac_remote_restriction.yml b/detections/endpoint/disable_uac_remote_restriction.yml index 3453160251..08c1308808 100644 --- a/detections/endpoint/disable_uac_remote_restriction.yml +++ b/detections/endpoint/disable_uac_remote_restriction.yml @@ -15,12 +15,12 @@ known_false_positives: admin may set this policy for non-critical machine. references: - https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disable_windows_app_hotkeys.yml b/detections/endpoint/disable_windows_app_hotkeys.yml index 8f2589d845..e5442a24d9 100644 --- a/detections/endpoint/disable_windows_app_hotkeys.yml +++ b/detections/endpoint/disable_windows_app_hotkeys.yml @@ -15,12 +15,12 @@ known_false_positives: unknown references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index a61f867cf2..83455657f9 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -15,12 +15,12 @@ known_false_positives: admin or user may choose to disable this windows features references: - https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disable_windows_smartscreen_protection.yml b/detections/endpoint/disable_windows_smartscreen_protection.yml index 3e92a42d19..92614f3e49 100644 --- a/detections/endpoint/disable_windows_smartscreen_protection.yml +++ b/detections/endpoint/disable_windows_smartscreen_protection.yml @@ -15,12 +15,12 @@ known_false_positives: admin or user may choose to disable this windows features references: - https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml index 2c344f7cc6..1262eaa852 100644 --- a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml +++ b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml @@ -16,12 +16,12 @@ references: - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html - https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml index b991858dc3..314506c009 100644 --- a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml +++ b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml @@ -16,12 +16,12 @@ references: - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html - https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disabling_cmd_application.yml b/detections/endpoint/disabling_cmd_application.yml index 202c77e083..65b769780d 100644 --- a/detections/endpoint/disabling_cmd_application.yml +++ b/detections/endpoint/disabling_cmd_application.yml @@ -15,12 +15,12 @@ known_false_positives: admin may disable this application for non technical user references: - https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disabling_controlpanel.yml b/detections/endpoint/disabling_controlpanel.yml index d92b2adc10..9ccc5bcc46 100644 --- a/detections/endpoint/disabling_controlpanel.yml +++ b/detections/endpoint/disabling_controlpanel.yml @@ -15,12 +15,12 @@ known_false_positives: admin may disable this application for non technical user references: - https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disabling_defender_services.yml b/detections/endpoint/disabling_defender_services.yml index d3bb2b38e2..80ceceae5b 100644 --- a/detections/endpoint/disabling_defender_services.yml +++ b/detections/endpoint/disabling_defender_services.yml @@ -15,12 +15,12 @@ known_false_positives: admin or user may choose to disable windows defender prod references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disabling_firewall_with_netsh.yml b/detections/endpoint/disabling_firewall_with_netsh.yml index 40625d4689..adaaf3d219 100644 --- a/detections/endpoint/disabling_firewall_with_netsh.yml +++ b/detections/endpoint/disabling_firewall_with_netsh.yml @@ -16,12 +16,12 @@ known_false_positives: admin may disable firewall during testing or fixing netwo references: - https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disabling_folderoptions_windows_feature.yml b/detections/endpoint/disabling_folderoptions_windows_feature.yml index 2d6c03aa6c..2ff6061235 100644 --- a/detections/endpoint/disabling_folderoptions_windows_feature.yml +++ b/detections/endpoint/disabling_folderoptions_windows_feature.yml @@ -15,12 +15,12 @@ known_false_positives: admin may disable this application for non technical user references: - https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disabling_net_user_account.yml b/detections/endpoint/disabling_net_user_account.yml index 17b2126a88..8d089e8f1d 100644 --- a/detections/endpoint/disabling_net_user_account.yml +++ b/detections/endpoint/disabling_net_user_account.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disabling_norun_windows_app.yml b/detections/endpoint/disabling_norun_windows_app.yml index 8bb473b5b7..79c9ae00ff 100644 --- a/detections/endpoint/disabling_norun_windows_app.yml +++ b/detections/endpoint/disabling_norun_windows_app.yml @@ -16,12 +16,12 @@ references: - https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry - https://blog.malwarebytes.com/detections/pum-optional-norun/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disabling_remote_user_account_control.yml b/detections/endpoint/disabling_remote_user_account_control.yml index 6a58e080b7..e64bce1520 100644 --- a/detections/endpoint/disabling_remote_user_account_control.yml +++ b/detections/endpoint/disabling_remote_user_account_control.yml @@ -14,12 +14,12 @@ how_to_implement: To successfully implement this search, you must be ingesting d known_false_positives: This registry key may be modified via administrators to implement a change in system policy. This type of change should be a very rare occurrence. references: [] drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disabling_systemrestore_in_registry.yml b/detections/endpoint/disabling_systemrestore_in_registry.yml index b71deef3af..5ca79f0aa6 100644 --- a/detections/endpoint/disabling_systemrestore_in_registry.yml +++ b/detections/endpoint/disabling_systemrestore_in_registry.yml @@ -15,12 +15,12 @@ known_false_positives: in some cases admin can disable systemrestore on a machin references: - https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disabling_task_manager.yml b/detections/endpoint/disabling_task_manager.yml index 149b2ef914..d58a2f843e 100644 --- a/detections/endpoint/disabling_task_manager.yml +++ b/detections/endpoint/disabling_task_manager.yml @@ -16,12 +16,12 @@ references: - https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry - https://blog.talosintelligence.com/2020/05/threat-roundup-0424-0501.html drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml b/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml index 9391eb3936..9003ecb849 100644 --- a/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml +++ b/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml @@ -15,12 +15,12 @@ references: - https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml index 1bad983fa0..b2bec8e183 100644 --- a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml @@ -5,37 +5,12 @@ date: '2024-10-17' author: Steven Dick, Michael Haag, Splunk status: experimental type: TTP -description: The following analytic detects instances of DLLHost.exe running without - command line arguments while establishing a network connection. This behavior is - identified using Endpoint Detection and Response (EDR) telemetry, focusing on process - execution and network activity data. It is significant because DLLHost.exe typically - runs with specific arguments, and its absence can indicate malicious activity, such - as Cobalt Strike usage. If confirmed malicious, this activity could allow attackers - to execute code, move laterally, or exfiltrate data, posing a severe threat to the - network's security. +description: The following analytic detects instances of DLLHost.exe running without command line arguments while establishing a network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution and network activity data. It is significant because DLLHost.exe typically runs with specific arguments, and its absence can indicate malicious activity, such as Cobalt Strike usage. If confirmed malicious, this activity could allow attackers to execute code, move laterally, or exfiltrate data, posing a severe threat to the network's security. data_source: - Sysmon EventID 1 AND Sysmon EventID 3 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=dllhost.exe - Processes.action!="blocked" by host _time span=1h Processes.process_id Processes.process_name - Processes.dest Processes.process_path Processes.process Processes.parent_process_name - Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | regex process="(?i)(dllhost\.exe.{0,4}$)" - | rename dest as src | join host process_id [| tstats `security_content_summariesonly` - count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) - as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port - != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `dllhost_with_no_command_line_arguments_with_network_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Although unlikely, some legitimate third party applications - may use a moved copy of dllhost, triggering a false positive. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=dllhost.exe Processes.action!="blocked" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(dllhost\.exe.{0,4}$)" | rename dest as src | join host process_id [| tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `dllhost_with_no_command_line_arguments_with_network_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Although unlikely, some legitimate third party applications may use a moved copy of dllhost, triggering a false positive. references: - https://raw.githubusercontent.com/threatexpress/malleable-c2/c3385e481159a759f79b8acfe11acf240893b830/jquery-c2.4.2.profile - https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/ @@ -47,8 +22,7 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: The process $process_name$ was spawned by $parent_process_name$ without - any command-line arguments on $src$ by $user$. + message: The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $src$ by $user$. mitre_attack_id: - T1055 observable: @@ -85,7 +59,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_dllhost.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_dllhost.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml index fd5cd54870..e7df193853 100644 --- a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml +++ b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml @@ -18,12 +18,12 @@ references: - https://www.varonis.com/blog/dns-tunneling - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/domain_account_discovery_with_dsquery.yml b/detections/endpoint/domain_account_discovery_with_dsquery.yml index acf626cb4b..58207713cc 100644 --- a/detections/endpoint/domain_account_discovery_with_dsquery.yml +++ b/detections/endpoint/domain_account_discovery_with_dsquery.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies the execution of `dsquery.exe` with - command-line arguments used to discover domain users. It leverages data from Endpoint - Detection and Response (EDR) agents, focusing on process names and command-line - executions. This activity is significant as it indicates potential reconnaissance - efforts by adversaries to map out domain users, which is a common precursor to further - attacks. If confirmed malicious, this behavior could allow attackers to gain insights - into user accounts, facilitating subsequent actions like privilege escalation or - lateral movement within the network. +description: The following analytic identifies the execution of `dsquery.exe` with command-line arguments used to discover domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to map out domain users, which is a common precursor to further attacks. If confirmed malicious, this behavior could allow attackers to gain insights into user accounts, facilitating subsequent actions like privilege escalation or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name="dsquery.exe" - AND Processes.process = "*user*" by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `domain_account_discovery_with_dsquery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="dsquery.exe" AND Processes.process = "*user*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_dsquery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/dsquery.htm @@ -78,7 +58,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/domain_account_discovery_with_net_app.yml b/detections/endpoint/domain_account_discovery_with_net_app.yml index f96bba88cf..b06663809c 100644 --- a/detections/endpoint/domain_account_discovery_with_net_app.yml +++ b/detections/endpoint/domain_account_discovery_with_net_app.yml @@ -17,12 +17,12 @@ references: - https://docs.microsoft.com/en-us/defender-for-identity/playbook-domain-dominance - https://attack.mitre.org/techniques/T1087/002/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/domain_account_discovery_with_wmic.yml b/detections/endpoint/domain_account_discovery_with_wmic.yml index 1a6b29144d..787aa5c906 100644 --- a/detections/endpoint/domain_account_discovery_with_wmic.yml +++ b/detections/endpoint/domain_account_discovery_with_wmic.yml @@ -16,12 +16,12 @@ known_false_positives: Administrators or power users may use this command for tr references: - https://attack.mitre.org/techniques/T1087/002/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/domain_controller_discovery_with_nltest.yml b/detections/endpoint/domain_controller_discovery_with_nltest.yml index 371b7ba128..8558fd8990 100644 --- a/detections/endpoint/domain_controller_discovery_with_nltest.yml +++ b/detections/endpoint/domain_controller_discovery_with_nltest.yml @@ -16,12 +16,12 @@ known_false_positives: Administrators or power users may use this command for tr references: - https://attack.mitre.org/techniques/T1018/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/domain_controller_discovery_with_wmic.yml b/detections/endpoint/domain_controller_discovery_with_wmic.yml index ea6f7d40fd..8a4ae4c2a1 100644 --- a/detections/endpoint/domain_controller_discovery_with_wmic.yml +++ b/detections/endpoint/domain_controller_discovery_with_wmic.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies the execution of `wmic.exe` with command-line - arguments used to discover domain controllers in a Windows domain. It leverages - data from Endpoint Detection and Response (EDR) agents, focusing on process names - and command-line arguments. This activity is significant because it is commonly - used by adversaries and Red Teams for situational awareness and Active Directory - discovery. If confirmed malicious, this behavior could allow attackers to map out - the network, identify key systems, and plan further attacks, potentially leading - to unauthorized access and data exfiltration. +description: The following analytic identifies the execution of `wmic.exe` with command-line arguments used to discover domain controllers in a Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is commonly used by adversaries and Red Teams for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out the network, identify key systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe") - (Processes.process="" OR Processes.process="*DomainControllerAddress*") by Processes.dest - Processes.user Processes.parent_process Processes.process_name Processes.process - Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_wmic_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe") (Processes.process="" OR Processes.process="*DomainControllerAddress*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_wmic_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ @@ -70,7 +50,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/domain_group_discovery_with_adsisearcher.yml b/detections/endpoint/domain_group_discovery_with_adsisearcher.yml index ef3e842eb9..a8fa23c479 100644 --- a/detections/endpoint/domain_group_discovery_with_adsisearcher.yml +++ b/detections/endpoint/domain_group_discovery_with_adsisearcher.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1069/002/ - https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/domain_group_discovery_with_dsquery.yml b/detections/endpoint/domain_group_discovery_with_dsquery.yml index 8c567e7739..fa9766e496 100644 --- a/detections/endpoint/domain_group_discovery_with_dsquery.yml +++ b/detections/endpoint/domain_group_discovery_with_dsquery.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies the execution of `dsquery.exe` with - command-line arguments used to query for domain groups. It leverages Endpoint Detection - and Response (EDR) data, focusing on process names and command-line arguments. This - activity is significant because both Red Teams and adversaries use `dsquery.exe` - to enumerate domain groups, gaining situational awareness and facilitating further - Active Directory discovery. If confirmed malicious, this behavior could allow attackers - to map out the domain structure, identify high-value targets, and plan subsequent - attacks, potentially leading to privilege escalation or data exfiltration. +description: The following analytic identifies the execution of `dsquery.exe` with command-line arguments used to query for domain groups. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments. This activity is significant because both Red Teams and adversaries use `dsquery.exe` to enumerate domain groups, gaining situational awareness and facilitating further Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out the domain structure, identify high-value targets, and plan subsequent attacks, potentially leading to privilege escalation or data exfiltration. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dsquery.exe") - (Processes.process="*group*") by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `domain_group_discovery_with_dsquery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dsquery.exe") (Processes.process="*group*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_dsquery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ @@ -71,7 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/domain_group_discovery_with_net.yml b/detections/endpoint/domain_group_discovery_with_net.yml index 14cc1e789b..9dc04ce016 100644 --- a/detections/endpoint/domain_group_discovery_with_net.yml +++ b/detections/endpoint/domain_group_discovery_with_net.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies the execution of `net.exe` with command-line - arguments used to query domain groups, specifically `group /domain`. It leverages - data from Endpoint Detection and Response (EDR) agents, focusing on process names - and command-line arguments. This activity is significant as it indicates potential - reconnaissance efforts by adversaries to enumerate domain groups, which is a common - step in Active Directory Discovery. If confirmed malicious, this behavior could - allow attackers to gain insights into the domain structure, aiding in further attacks - such as privilege escalation or lateral movement. +description: The following analytic identifies the execution of `net.exe` with command-line arguments used to query domain groups, specifically `group /domain`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain groups, which is a common step in Active Directory Discovery. If confirmed malicious, this behavior could allow attackers to gain insights into the domain structure, aiding in further attacks such as privilege escalation or lateral movement. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" - OR Processes.process_name="net1.exe") (Processes.process=*group* AND Processes.process=*/do*) - by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_net_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" OR Processes.process_name="net1.exe") (Processes.process=*group* AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_net_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ @@ -75,7 +55,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/domain_group_discovery_with_wmic.yml b/detections/endpoint/domain_group_discovery_with_wmic.yml index 8739abb243..6043a46e3a 100644 --- a/detections/endpoint/domain_group_discovery_with_wmic.yml +++ b/detections/endpoint/domain_group_discovery_with_wmic.yml @@ -5,34 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies the execution of `wmic.exe` with command-line - arguments used to query for domain groups. It leverages data from Endpoint Detection - and Response (EDR) agents, focusing on process names and command-line executions. - This activity is significant as it indicates potential reconnaissance efforts by - adversaries to gain situational awareness and map out Active Directory structures. - If confirmed malicious, this behavior could allow attackers to identify and target - specific domain groups, potentially leading to privilege escalation or lateral movement - within the network. +description: The following analytic identifies the execution of `wmic.exe` with command-line arguments used to query for domain groups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gain situational awareness and map out Active Directory structures. If confirmed malicious, this behavior could allow attackers to identify and target specific domain groups, potentially leading to privilege escalation or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe") - (Processes.process=*/NAMESPACE:\\\\root\\directory\\ldap* AND Processes.process=*ds_group* - AND Processes.process="*GET ds_samaccountname*") by Processes.dest Processes.user - Processes.parent_process Processes.process_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `domain_group_discovery_with_wmic_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe") (Processes.process=*/NAMESPACE:\\\\root\\directory\\ldap* AND Processes.process=*ds_group* AND Processes.process="*GET ds_samaccountname*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_wmic_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ @@ -72,7 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/download_files_using_telegram.yml b/detections/endpoint/download_files_using_telegram.yml index 80d744945d..7799999278 100644 --- a/detections/endpoint/download_files_using_telegram.yml +++ b/detections/endpoint/download_files_using_telegram.yml @@ -14,12 +14,12 @@ known_false_positives: normal download of file in telegram app. (if it was a com references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/drop_icedid_license_dat.yml b/detections/endpoint/drop_icedid_license_dat.yml index 22f36851f8..9767f3bcb4 100644 --- a/detections/endpoint/drop_icedid_license_dat.yml +++ b/detections/endpoint/drop_icedid_license_dat.yml @@ -5,24 +5,11 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the dropping of a suspicious file named - "license.dat" in %appdata% or %programdata%. This behavior is associated with the - IcedID malware, which uses this file to inject its core bot into other processes - for banking credential theft. The detection leverages Sysmon EventCode 11 to monitor - file creation events in these directories. This activity is significant as it indicates - a potential malware infection aiming to steal sensitive banking information. If - confirmed malicious, the attacker could gain unauthorized access to financial data, - leading to significant financial loss and data breaches. +description: The following analytic detects the dropping of a suspicious file named "license.dat" in %appdata% or %programdata%. This behavior is associated with the IcedID malware, which uses this file to inject its core bot into other processes for banking credential theft. The detection leverages Sysmon EventCode 11 to monitor file creation events in these directories. This activity is significant as it indicates a potential malware infection aiming to steal sensitive banking information. If confirmed malicious, the attacker could gain unauthorized access to financial data, leading to significant financial loss and data breaches. data_source: - Sysmon EventID 11 -search: '`sysmon` EventCode= 11 TargetFilename = "*\\license.dat" AND (TargetFilename="*\\appdata\\*" - OR TargetFilename="*\\programdata\\*") |stats count min(_time) as firstTime max(_time) - as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `drop_icedid_license_dat_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +search: '`sysmon` EventCode= 11 TargetFilename = "*\\license.dat" AND (TargetFilename="*\\appdata\\*" OR TargetFilename="*\\programdata\\*") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_icedid_license_dat_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: unknown references: - https://www.cisecurity.org/insights/white-papers/security-primer-icedid @@ -56,7 +43,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/dsquery_domain_discovery.yml b/detections/endpoint/dsquery_domain_discovery.yml index de7496e942..4eba33b0b5 100644 --- a/detections/endpoint/dsquery_domain_discovery.yml +++ b/detections/endpoint/dsquery_domain_discovery.yml @@ -19,12 +19,12 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732952(v=ws.11) - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc754232(v=ws.11) drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml index ab9c0acb34..34322b3007 100644 --- a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml +++ b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml @@ -18,12 +18,12 @@ references: - https://twitter.com/SBousseaden/status/1167417096374050817 - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/dump_lsass_via_procdump.yml b/detections/endpoint/dump_lsass_via_procdump.yml index bb5a7421fe..c988e05912 100644 --- a/detections/endpoint/dump_lsass_via_procdump.yml +++ b/detections/endpoint/dump_lsass_via_procdump.yml @@ -19,12 +19,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-2---dump-lsassexe-memory-using-procdump - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/elevated_group_discovery_with_net.yml b/detections/endpoint/elevated_group_discovery_with_net.yml index e5efad57dc..94d35b119f 100644 --- a/detections/endpoint/elevated_group_discovery_with_net.yml +++ b/detections/endpoint/elevated_group_discovery_with_net.yml @@ -19,12 +19,12 @@ references: - https://adsecurity.org/?p=3658 - https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/elevated_group_discovery_with_powerview.yml b/detections/endpoint/elevated_group_discovery_with_powerview.yml index 102ffa62ed..4045b8f9ad 100644 --- a/detections/endpoint/elevated_group_discovery_with_powerview.yml +++ b/detections/endpoint/elevated_group_discovery_with_powerview.yml @@ -5,24 +5,11 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `Get-DomainGroupMember` - cmdlet from PowerView, identified through PowerShell Script Block Logging (EventCode=4104). - This cmdlet is used to enumerate members of elevated domain groups such as Domain - Admins and Enterprise Admins. Monitoring this activity is crucial as it indicates - potential reconnaissance efforts by adversaries to identify high-privileged users - within the domain. If confirmed malicious, this activity could lead to targeted - attacks on privileged accounts, facilitating further compromise and lateral movement - within the network. +description: The following analytic detects the execution of the `Get-DomainGroupMember` cmdlet from PowerView, identified through PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate members of elevated domain groups such as Domain Admins and Enterprise Admins. Monitoring this activity is crucial as it indicates potential reconnaissance efforts by adversaries to identify high-privileged users within the domain. If confirmed malicious, this activity could lead to targeted attacks on privileged accounts, facilitating further compromise and lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainGroupMember*") AND ScriptBlockText - IN ("*Domain Admins*","*Enterprise Admins*", "*Schema Admins*", "*Account Operators*" - , "*Server Operators*", "*Protected Users*", "*Dns Admins*") | stats count min(_time) - as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` - | `elevated_group_discovery_with_powerview_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainGroupMember*") AND ScriptBlockText IN ("*Domain Admins*","*Enterprise Admins*", "*Schema Admins*", "*Account Operators*" , "*Server Operators*", "*Protected Users*", "*Dns Admins*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `elevated_group_discovery_with_powerview_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: Administrators or power users may use this PowerView for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ diff --git a/detections/endpoint/elevated_group_discovery_with_wmic.yml b/detections/endpoint/elevated_group_discovery_with_wmic.yml index d2fc70439b..753b0c45b4 100644 --- a/detections/endpoint/elevated_group_discovery_with_wmic.yml +++ b/detections/endpoint/elevated_group_discovery_with_wmic.yml @@ -18,12 +18,12 @@ references: - https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory - https://adsecurity.org/?p=3658 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/enable_rdp_in_other_port_number.yml b/detections/endpoint/enable_rdp_in_other_port_number.yml index b03f041232..f8fa9ed8c2 100644 --- a/detections/endpoint/enable_rdp_in_other_port_number.yml +++ b/detections/endpoint/enable_rdp_in_other_port_number.yml @@ -15,12 +15,12 @@ known_false_positives: unknown references: - https://www.mvps.net/docs/how-to-secure-remote-desktop-rdp/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml index 31e8514071..d64bc36006 100644 --- a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml +++ b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml @@ -15,12 +15,12 @@ known_false_positives: unknown references: - https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/enumerate_users_local_group_using_telegram.yml b/detections/endpoint/enumerate_users_local_group_using_telegram.yml index 41f072779d..acd77891de 100644 --- a/detections/endpoint/enumerate_users_local_group_using_telegram.yml +++ b/detections/endpoint/enumerate_users_local_group_using_telegram.yml @@ -15,12 +15,12 @@ references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/esentutl_sam_copy.yml b/detections/endpoint/esentutl_sam_copy.yml index 9012f54f5c..b6494efe8d 100644 --- a/detections/endpoint/esentutl_sam_copy.yml +++ b/detections/endpoint/esentutl_sam_copy.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the use of `esentutl.exe` to access credentials - stored in the ntds.dit or SAM file. This detection leverages data from Endpoint - Detection and Response (EDR) agents, focusing on process execution logs that include - command-line details. This activity is significant because it may indicate an attempt - to extract sensitive credential information, which is a common tactic in lateral - movement and privilege escalation. If confirmed malicious, this could allow an attacker - to gain unauthorized access to user credentials, potentially compromising the entire - network. +description: The following analytic detects the use of `esentutl.exe` to access credentials stored in the ntds.dit or SAM file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it may indicate an attempt to extract sensitive credential information, which is a common tactic in lateral movement and privilege escalation. If confirmed malicious, this could allow an attacker to gain unauthorized access to user credentials, potentially compromising the entire network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_esentutl` Processes.process - IN ("*ntds*", "*SAM*") by Processes.dest Processes.user Processes.parent_process_name - Processes.process_name Processes.original_file_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `esentutl_sam_copy_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_esentutl` Processes.process IN ("*ntds*", "*SAM*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esentutl_sam_copy_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: False positives should be limited. Filter as needed. references: - https://github.com/redcanaryco/atomic-red-team/blob/6a570c2a4630cf0c2bd41a2e8375b5d5ab92f700/atomics/T1003.002/T1003.002.md @@ -43,9 +23,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user user$ attempting to capture credentials for offline - cracking or observability. + message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user user$ attempting to capture credentials for offline cracking or observability. mitre_attack_id: - T1003.002 - T1003 @@ -88,7 +66,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/etw_registry_disabled.yml b/detections/endpoint/etw_registry_disabled.yml index 18fe78a3ae..07be78558f 100644 --- a/detections/endpoint/etw_registry_disabled.yml +++ b/detections/endpoint/etw_registry_disabled.yml @@ -15,12 +15,12 @@ known_false_positives: unknown references: - https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3 drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/eventvwr_uac_bypass.yml b/detections/endpoint/eventvwr_uac_bypass.yml index 693a5f2a07..6cad3bf82c 100644 --- a/detections/endpoint/eventvwr_uac_bypass.yml +++ b/detections/endpoint/eventvwr_uac_bypass.yml @@ -19,12 +19,12 @@ references: - https://attack.mitre.org/techniques/T1548/002/ - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/excel_spawning_powershell.yml b/detections/endpoint/excel_spawning_powershell.yml index 9f42442f3a..09034c1a69 100644 --- a/detections/endpoint/excel_spawning_powershell.yml +++ b/detections/endpoint/excel_spawning_powershell.yml @@ -17,12 +17,12 @@ references: - https://redcanary.com/threat-detection-report/techniques/powershell/ - https://attack.mitre.org/techniques/T1566/001/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/excel_spawning_windows_script_host.yml b/detections/endpoint/excel_spawning_windows_script_host.yml index ac349674e6..526227673d 100644 --- a/detections/endpoint/excel_spawning_windows_script_host.yml +++ b/detections/endpoint/excel_spawning_windows_script_host.yml @@ -17,12 +17,12 @@ references: - https://app.any.run/tasks/8ecfbc29-03d0-421c-a5bf-3905d29192a2/ - https://attack.mitre.org/techniques/T1566/001/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/excessive_attempt_to_disable_services.yml b/detections/endpoint/excessive_attempt_to_disable_services.yml index 7773906cb9..ab382b8e6a 100644 --- a/detections/endpoint/excessive_attempt_to_disable_services.yml +++ b/detections/endpoint/excessive_attempt_to_disable_services.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml index ba3b9e91b2..9b49578493 100644 --- a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml +++ b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml @@ -16,12 +16,12 @@ known_false_positives: Many benign applications will create processes from execu references: - https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml index 1a737d33ed..b0dc9d5d3c 100644 --- a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml +++ b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml @@ -15,12 +15,12 @@ known_false_positives: Windows Defender AV updates may trigger this alert. Pleas references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml index 5e4558f38d..cf2e2de914 100644 --- a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml +++ b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml @@ -17,12 +17,12 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/sc-create - https://attack.mitre.org/techniques/T1562/001/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/excessive_number_of_taskhost_processes.yml b/detections/endpoint/excessive_number_of_taskhost_processes.yml index 28cc94f32b..6b5b38552a 100644 --- a/detections/endpoint/excessive_number_of_taskhost_processes.yml +++ b/detections/endpoint/excessive_number_of_taskhost_processes.yml @@ -16,12 +16,12 @@ known_false_positives: Administrators, administrative actions or certain applica references: - https://attack.mitre.org/software/S0250/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/excessive_service_stop_attempt.yml b/detections/endpoint/excessive_service_stop_attempt.yml index 720805c6fb..66b3ed0898 100644 --- a/detections/endpoint/excessive_service_stop_attempt.yml +++ b/detections/endpoint/excessive_service_stop_attempt.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/excessive_usage_of_cacls_app.yml b/detections/endpoint/excessive_usage_of_cacls_app.yml index f856e21ed6..0cb90ef55f 100644 --- a/detections/endpoint/excessive_usage_of_cacls_app.yml +++ b/detections/endpoint/excessive_usage_of_cacls_app.yml @@ -16,12 +16,12 @@ known_false_positives: Administrators or administrative scripts may use this app references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/excessive_usage_of_net_app.yml b/detections/endpoint/excessive_usage_of_net_app.yml index 60994dcbd8..efffc17624 100644 --- a/detections/endpoint/excessive_usage_of_net_app.yml +++ b/detections/endpoint/excessive_usage_of_net_app.yml @@ -16,12 +16,12 @@ known_false_positives: unknown. Filter as needed. Modify the time span as needed references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/excessive_usage_of_nslookup_app.yml b/detections/endpoint/excessive_usage_of_nslookup_app.yml index c46684dfb2..b7a8fbe72d 100644 --- a/detections/endpoint/excessive_usage_of_nslookup_app.yml +++ b/detections/endpoint/excessive_usage_of_nslookup_app.yml @@ -18,12 +18,12 @@ references: - https://www.varonis.com/blog/dns-tunneling - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/excessive_usage_of_sc_service_utility.yml b/detections/endpoint/excessive_usage_of_sc_service_utility.yml index a030570ea8..609cd79d31 100644 --- a/detections/endpoint/excessive_usage_of_sc_service_utility.yml +++ b/detections/endpoint/excessive_usage_of_sc_service_utility.yml @@ -16,12 +16,12 @@ known_false_positives: excessive execution of sc.exe is quite suspicious since i references: - https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/excessive_usage_of_taskkill.yml b/detections/endpoint/excessive_usage_of_taskkill.yml index e51efa2cb6..0de1d58bce 100644 --- a/detections/endpoint/excessive_usage_of_taskkill.yml +++ b/detections/endpoint/excessive_usage_of_taskkill.yml @@ -17,12 +17,12 @@ references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ - https://www.joesandbox.com/analysis/702680/0/html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml b/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml index c052e39cc1..6b6c056881 100644 --- a/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml +++ b/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml @@ -5,22 +5,10 @@ date: '2024-10-17' author: Michael Haag, Splunk status: experimental type: TTP -description: 'The following analytic detects suspicious behavior indicative of ProxyShell - exploitation against on-premise Microsoft Exchange servers. It identifies HTTP POST - requests to `autodiscover.json` containing `PowerShell` in the URI, leveraging server-side - request forgery (SSRF) to access backend PowerShell. This detection uses Exchange - server logs ingested into Splunk. Monitoring this activity is crucial as it may - indicate an attacker attempting to execute commands or scripts on the Exchange server. - If confirmed malicious, this could lead to unauthorized access, privilege escalation, - or persistent control over the Exchange environment.' +description: The following analytic detects suspicious behavior indicative of ProxyShell exploitation against on-premise Microsoft Exchange servers. It identifies HTTP POST requests to `autodiscover.json` containing `PowerShell` in the URI, leveraging server-side request forgery (SSRF) to access backend PowerShell. This detection uses Exchange server logs ingested into Splunk. Monitoring this activity is crucial as it may indicate an attacker attempting to execute commands or scripts on the Exchange server. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent control over the Exchange environment. data_source: [] -search: '`exchange` c_uri="*//autodiscover*" cs_uri_query="*PowerShell*" cs_method="POST" - | stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query, - cs_method, c_uri | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `exchange_powershell_abuse_via_ssrf_filter`' -how_to_implement: The following analytic requires on-premise Exchange to be logging - to Splunk using the TA - https://splunkbase.splunk.com/app/3225. Ensure logs are - parsed correctly, or tune the analytic for your environment. +search: '`exchange` c_uri="*//autodiscover*" cs_uri_query="*PowerShell*" cs_method="POST" | stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query, cs_method, c_uri | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_abuse_via_ssrf_filter`' +how_to_implement: The following analytic requires on-premise Exchange to be logging to Splunk using the TA - https://splunkbase.splunk.com/app/3225. Ensure logs are parsed correctly, or tune the analytic for your environment. known_false_positives: Limited false positives, however, tune as needed. references: - https://github.com/GossiTheDog/ThreatHunting/blob/master/AzureSentinel/Exchange-Powershell-via-SSRF @@ -34,8 +22,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: Activity related to ProxyShell has been identified on $dest$. Review events - and take action accordingly. + message: Activity related to ProxyShell has been identified on $dest$. Review events and take action accordingly. mitre_attack_id: - T1190 - T1133 diff --git a/detections/endpoint/exchange_powershell_module_usage.yml b/detections/endpoint/exchange_powershell_module_usage.yml index 9bb0ff03ea..716e5761d5 100644 --- a/detections/endpoint/exchange_powershell_module_usage.yml +++ b/detections/endpoint/exchange_powershell_module_usage.yml @@ -22,12 +22,12 @@ references: - https://learn.microsoft.com/en-us/powershell/module/exchange/get-recipient?view=exchange-ps - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/executable_file_written_in_administrative_smb_share.yml b/detections/endpoint/executable_file_written_in_administrative_smb_share.yml index bdebfa442c..b56696e19e 100644 --- a/detections/endpoint/executable_file_written_in_administrative_smb_share.yml +++ b/detections/endpoint/executable_file_written_in_administrative_smb_share.yml @@ -18,12 +18,12 @@ references: - https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/ - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 1b9f609757..a7b570e394 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -17,12 +17,12 @@ references: - https://twitter.com/pr0xylife/status/1590394227758104576 - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml index 462fb15c9d..89c3b7d9a9 100644 --- a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml +++ b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/execution_of_file_with_multiple_extensions.yml b/detections/endpoint/execution_of_file_with_multiple_extensions.yml index 9531f0918b..5574f34c31 100644 --- a/detections/endpoint/execution_of_file_with_multiple_extensions.yml +++ b/detections/endpoint/execution_of_file_with_multiple_extensions.yml @@ -16,12 +16,12 @@ known_false_positives: None identified. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/extraction_of_registry_hives.yml b/detections/endpoint/extraction_of_registry_hives.yml index 2cecb85452..1254dd54ec 100644 --- a/detections/endpoint/extraction_of_registry_hives.yml +++ b/detections/endpoint/extraction_of_registry_hives.yml @@ -18,12 +18,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md - https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/file_with_samsam_extension.yml b/detections/endpoint/file_with_samsam_extension.yml index 2c8485a175..24740f075c 100644 --- a/detections/endpoint/file_with_samsam_extension.yml +++ b/detections/endpoint/file_with_samsam_extension.yml @@ -15,12 +15,12 @@ how_to_implement: You must be ingesting data that records file-system activity f known_false_positives: Because these extensions are not typically used in normal operations, you should investigate all results. references: [] drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/firewall_allowed_program_enable.yml b/detections/endpoint/firewall_allowed_program_enable.yml index 3637c9244b..6ff2687e3f 100644 --- a/detections/endpoint/firewall_allowed_program_enable.yml +++ b/detections/endpoint/firewall_allowed_program_enable.yml @@ -16,12 +16,12 @@ known_false_positives: A network operator or systems administrator may utilize a references: - https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/first_time_seen_child_process_of_zoom.yml b/detections/endpoint/first_time_seen_child_process_of_zoom.yml index e3be108259..eb7ecf75e3 100644 --- a/detections/endpoint/first_time_seen_child_process_of_zoom.yml +++ b/detections/endpoint/first_time_seen_child_process_of_zoom.yml @@ -5,39 +5,14 @@ date: '2024-10-17' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic identifies the first-time execution of child processes - spawned by Zoom (zoom.exe or zoom.us). It leverages Endpoint Detection and Response - (EDR) data, specifically monitoring process creation events and comparing them against - previously seen child processes. This activity is significant because the execution - of unfamiliar child processes by Zoom could indicate malicious exploitation or misuse - of the application. If confirmed malicious, this could lead to unauthorized code - execution, data exfiltration, or further compromise of the endpoint. +description: The following analytic identifies the first-time execution of child processes spawned by Zoom (zoom.exe or zoom.us). It leverages Endpoint Detection and Response (EDR) data, specifically monitoring process creation events and comparing them against previously seen child processes. This activity is significant because the execution of unfamiliar child processes by Zoom could indicate malicious exploitation or misuse of the application. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the endpoint. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime values(Processes.parent_process_name) - as parent_process_name values(Processes.parent_process_id) as parent_process_id - values(Processes.process_name) as process_name values(Processes.process) as process - from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe - OR Processes.parent_process_name=zoom.us) by Processes.process_id Processes.dest - | `drop_dm_object_name(Processes)` | lookup zoom_first_time_child_process dest as - dest process_name as process_name OUTPUT firstTimeSeen | where isnull(firstTimeSeen) - OR firstTimeSeen > relative_time(now(), "`previously_seen_zoom_child_processes_window`") - | `security_content_ctime(firstTime)` | table firstTime dest, process_id, process_name, - parent_process_id, parent_process_name |`first_time_seen_child_process_of_zoom_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: A new child process of zoom isn't malicious by that fact alone. - Further investigation of the actions of the child process is needed to verify any - malicious behavior is taken. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime values(Processes.parent_process_name) as parent_process_name values(Processes.parent_process_id) as parent_process_id values(Processes.process_name) as process_name values(Processes.process) as process from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_id Processes.dest | `drop_dm_object_name(Processes)` | lookup zoom_first_time_child_process dest as dest process_name as process_name OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), "`previously_seen_zoom_child_processes_window`") | `security_content_ctime(firstTime)` | table firstTime dest, process_id, process_name, parent_process_id, parent_process_name |`first_time_seen_child_process_of_zoom_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: A new child process of zoom isn't malicious by that fact alone. Further investigation of the actions of the child process is needed to verify any malicious behavior is taken. references: [] tags: analytic_story: @@ -45,8 +20,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: Child process $process_name$ with $process_id$ spawned by zoom.exe or zoom.us - which has not been previously on host $dest$ + message: Child process $process_name$ with $process_id$ spawned by zoom.exe or zoom.us which has not been previously on host $dest$ mitre_attack_id: - T1068 observable: diff --git a/detections/endpoint/first_time_seen_running_windows_service.yml b/detections/endpoint/first_time_seen_running_windows_service.yml index 052e1a8104..0fd17fe892 100644 --- a/detections/endpoint/first_time_seen_running_windows_service.yml +++ b/detections/endpoint/first_time_seen_running_windows_service.yml @@ -5,32 +5,12 @@ date: '2024-10-17' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects the first occurrence of a Windows service - running in your environment. It leverages Windows system event logs, specifically - EventCode 7036, to identify services entering the "running" state. This activity - is significant because the appearance of a new or previously unseen service could - indicate the installation of unauthorized or malicious software. If confirmed malicious, - this activity could allow an attacker to execute arbitrary code, maintain persistence, - or escalate privileges within the environment. Monitoring for new services helps - in early detection of potential threats. +description: The following analytic detects the first occurrence of a Windows service running in your environment. It leverages Windows system event logs, specifically EventCode 7036, to identify services entering the "running" state. This activity is significant because the appearance of a new or previously unseen service could indicate the installation of unauthorized or malicious software. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment. Monitoring for new services helps in early detection of potential threats. data_source: - Windows Event Log System 7036 -search: '`wineventlog_system` EventCode=7036 | rex field=Message "The (?[-\(\)\s\w]+) - service entered the (?\w+) state" | where state="running" | lookup previously_seen_running_windows_services - service as service OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen - > relative_time(now(), `previously_seen_windows_services_window`) | table _time - dest service | `first_time_seen_running_windows_service_filter`' -how_to_implement: While this search does not require you to adhere to Splunk CIM, - you must be ingesting your Windows system event logs in order for this search to - execute successfully. You should run the baseline search `Previously Seen Running - Windows Services - Initial` to build the initial table of child processes and hostnames - for this search to work. You should also schedule at the same interval as this search - the second baseline search `Previously Seen Running Windows Services - Update` to - keep this table up to date and to age out old Windows Services. Please update the - `previously_seen_windows_services_window` macro to adjust the time window. Please - ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above. -known_false_positives: A previously unseen service is not necessarily malicious. Verify - that the service is legitimate and that was installed by a legitimate process. +search: '`wineventlog_system` EventCode=7036 | rex field=Message "The (?[-\(\)\s\w]+) service entered the (?\w+) state" | where state="running" | lookup previously_seen_running_windows_services service as service OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), `previously_seen_windows_services_window`) | table _time dest service | `first_time_seen_running_windows_service_filter`' +how_to_implement: While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search `Previously Seen Running Windows Services - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Running Windows Services - Update` to keep this table up to date and to age out old Windows Services. Please update the `previously_seen_windows_services_window` macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above. +known_false_positives: A previously unseen service is not necessarily malicious. Verify that the service is legitimate and that was installed by a legitimate process. references: [] tags: analytic_story: diff --git a/detections/endpoint/fodhelper_uac_bypass.yml b/detections/endpoint/fodhelper_uac_bypass.yml index 128f3f1b05..a8ecf8d037 100644 --- a/detections/endpoint/fodhelper_uac_bypass.yml +++ b/detections/endpoint/fodhelper_uac_bypass.yml @@ -19,12 +19,12 @@ references: - https://github.com/gushmazuko/WinBypass/blob/master/FodhelperBypass.ps1 - https://attack.mitre.org/techniques/T1548/002/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/fsutil_zeroing_file.yml b/detections/endpoint/fsutil_zeroing_file.yml index 00765f85bf..79105d3614 100644 --- a/detections/endpoint/fsutil_zeroing_file.yml +++ b/detections/endpoint/fsutil_zeroing_file.yml @@ -17,12 +17,12 @@ references: - https://app.any.run/tasks/e0ac072d-58c9-4f53-8a3b-3e491c7ac5db/ - https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml index 410a1ff0d4..41436e0b0f 100644 --- a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml +++ b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml @@ -5,34 +5,13 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of `powershell.exe` running - the `Get-ADDefaultDomainPasswordPolicy` cmdlet, which is used to retrieve the password - policy in a Windows domain. This detection leverages data from Endpoint Detection - and Response (EDR) agents, focusing on process names and command-line executions. - Monitoring this activity is crucial as it can indicate attempts by adversaries to - gather information about domain policies for situational awareness and Active Directory - discovery. If confirmed malicious, this activity could lead to further reconnaissance - and potential exploitation of domain security settings. +description: The following analytic detects the execution of `powershell.exe` running the `Get-ADDefaultDomainPasswordPolicy` cmdlet, which is used to retrieve the password policy in a Windows domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is crucial as it can indicate attempts by adversaries to gather information about domain policies for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance and potential exploitation of domain security settings. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" - OR Processes.process_name="powershell*") AND Processes.process = "*Get-ADDefaultDomainPasswordPolicy*" - by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `get_addefaultdomainpasswordpolicy_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*Get-ADDefaultDomainPasswordPolicy*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet @@ -79,7 +58,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml index e7df20ef6f..0114894dfc 100644 --- a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml @@ -5,23 +5,11 @@ date: '2024-10-17' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `Get-ADDefaultDomainPasswordPolicy` - PowerShell cmdlet, which is used to retrieve the password policy in a Windows domain. - This detection leverages PowerShell Script Block Logging (EventCode=4104) to identify - the specific command execution. Monitoring this activity is significant as it can - indicate an attempt to gather domain policy information, which is often a precursor - to further malicious actions. If confirmed malicious, this activity could allow - an attacker to understand password policies, aiding in password attacks or further - domain enumeration. +description: The following analytic detects the execution of the `Get-ADDefaultDomainPasswordPolicy` PowerShell cmdlet, which is used to retrieve the password policy in a Windows domain. This detection leverages PowerShell Script Block Logging (EventCode=4104) to identify the specific command execution. Monitoring this activity is significant as it can indicate an attempt to gather domain policy information, which is often a precursor to further malicious actions. If confirmed malicious, this activity could allow an attacker to understand password policies, aiding in password attacks or further domain enumeration. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText ="*Get-ADDefaultDomainPasswordPolicy*" - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText - Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs - to be imported. Modify the powershell macro as needed to match the sourcetype or - add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +search: '`powershell` EventCode=4104 ScriptBlockText ="*Get-ADDefaultDomainPasswordPolicy*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet @@ -33,8 +21,7 @@ tags: asset_type: Endpoint confidence: 30 impact: 30 - message: Powershell process having commandline "Get-ADDefaultDomainPasswordPolicy" - to query domain password policy on $dest$ + message: Powershell process having commandline "Get-ADDefaultDomainPasswordPolicy" to query domain password policy on $dest$ mitre_attack_id: - T1201 observable: @@ -61,7 +48,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-powershell-xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_aduser_with_powershell.yml b/detections/endpoint/get_aduser_with_powershell.yml index c7cb4113ee..82320418c7 100644 --- a/detections/endpoint/get_aduser_with_powershell.yml +++ b/detections/endpoint/get_aduser_with_powershell.yml @@ -5,34 +5,13 @@ date: '2024-10-17' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `powershell.exe` with - command-line arguments used to enumerate domain users via the `Get-ADUser` cmdlet. - It leverages data from Endpoint Detection and Response (EDR) agents, focusing on - process names and command-line executions. This activity is significant as it may - indicate an attempt by adversaries to gather information about domain users for - situational awareness and Active Directory discovery. If confirmed malicious, this - behavior could lead to further reconnaissance, enabling attackers to identify high-value - targets and plan subsequent attacks. +description: The following analytic detects the execution of `powershell.exe` with command-line arguments used to enumerate domain users via the `Get-ADUser` cmdlet. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to gather information about domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, enabling attackers to identify high-value targets and plan subsequent attacks. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" - OR Processes.process_name="powershell*") AND Processes.process = "*Get-ADUser*" - AND Processes.process = "*-filter*" by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*Get-ADUser*" AND Processes.process = "*-filter*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://www.blackhillsinfosec.com/red-blue-purple/ @@ -81,7 +60,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_aduser_with_powershell_script_block.yml b/detections/endpoint/get_aduser_with_powershell_script_block.yml index 6f06e5f96a..71278afb8e 100644 --- a/detections/endpoint/get_aduser_with_powershell_script_block.yml +++ b/detections/endpoint/get_aduser_with_powershell_script_block.yml @@ -5,23 +5,11 @@ date: '2024-10-17' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `Get-AdUser` PowerShell - cmdlet, which is used to enumerate all domain users. It leverages PowerShell Script - Block Logging (EventCode=4104) to identify instances where this command is executed - with a filter. This activity is significant as it may indicate an attempt by adversaries - or Red Teams to gather information about domain users for situational awareness - and Active Directory discovery. If confirmed malicious, this behavior could lead - to further reconnaissance and potential exploitation of user accounts within the - domain. +description: The following analytic detects the execution of the `Get-AdUser` PowerShell cmdlet, which is used to enumerate all domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify instances where this command is executed with a filter. This activity is significant as it may indicate an attempt by adversaries or Red Teams to gather information about domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance and potential exploitation of user accounts within the domain. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*get-aduser*" ScriptBlockText - = "*-filter*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode - ScriptBlockText Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_script_block_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs - to be imported. Modify the powershell macro as needed to match the sourcetype or - add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +search: '`powershell` EventCode=4104 ScriptBlockText = "*get-aduser*" ScriptBlockText = "*-filter*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_script_block_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://www.blackhillsinfosec.com/red-blue-purple/ @@ -34,8 +22,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Powershell process having commandline "get-aduser" for user enumeration - on $dest$ + message: Powershell process having commandline "get-aduser" for user enumeration on $dest$ mitre_attack_id: - T1087.002 - T1087 @@ -63,7 +50,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/aduser_powershell.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/aduser_powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml index e626a5f7ca..8280bc5935 100644 --- a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml +++ b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml @@ -18,12 +18,12 @@ references: - https://attack.mitre.org/techniques/T1201/ - https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduserresultantpasswordpolicy?view=windowsserver2019-ps drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml index 8a840c344d..3781d1256a 100644 --- a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml @@ -16,12 +16,12 @@ references: - https://attack.mitre.org/techniques/T1201/ - https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduserresultantpasswordpolicy?view=windowsserver2019-ps drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/get_domainpolicy_with_powershell.yml b/detections/endpoint/get_domainpolicy_with_powershell.yml index bd0752c16f..eee3a88cf3 100644 --- a/detections/endpoint/get_domainpolicy_with_powershell.yml +++ b/detections/endpoint/get_domainpolicy_with_powershell.yml @@ -18,12 +18,12 @@ references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainPolicy/ - https://attack.mitre.org/techniques/T1201/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml b/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml index 77fe89c4eb..8e250438ab 100644 --- a/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml @@ -16,12 +16,12 @@ references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainPolicy/ - https://attack.mitre.org/techniques/T1201/ drilldown_searches: -- name: View the detection results for $Computer$ and $UserID$ - search: '%original_detection_search% | search Computer = $Computer$ UserID = $UserID$' +- name: View the detection results for - "$Computer$" and "$UserID$" + search: '%original_detection_search% | search Computer = "$Computer$" UserID = "$UserID$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ and $UserID$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$, $UserID$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" and "$UserID$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$UserID$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/get_domaintrust_with_powershell.yml b/detections/endpoint/get_domaintrust_with_powershell.yml index f6d36287da..68d49a0d5a 100644 --- a/detections/endpoint/get_domaintrust_with_powershell.yml +++ b/detections/endpoint/get_domaintrust_with_powershell.yml @@ -16,12 +16,12 @@ known_false_positives: Limited false positives as this requires an active Admini references: - https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/get_domaintrust_with_powershell_script_block.yml b/detections/endpoint/get_domaintrust_with_powershell_script_block.yml index 039c2e2ba6..44cc68e573 100644 --- a/detections/endpoint/get_domaintrust_with_powershell_script_block.yml +++ b/detections/endpoint/get_domaintrust_with_powershell_script_block.yml @@ -18,12 +18,12 @@ references: - https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/get_domainuser_with_powershell.yml b/detections/endpoint/get_domainuser_with_powershell.yml index ac2a28b6b6..09157e6c35 100644 --- a/detections/endpoint/get_domainuser_with_powershell.yml +++ b/detections/endpoint/get_domainuser_with_powershell.yml @@ -16,12 +16,12 @@ known_false_positives: Administrators or power users may use this command for tr references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainUser/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/get_domainuser_with_powershell_script_block.yml b/detections/endpoint/get_domainuser_with_powershell_script_block.yml index 0bf6289c09..0b5ef9ae59 100644 --- a/detections/endpoint/get_domainuser_with_powershell_script_block.yml +++ b/detections/endpoint/get_domainuser_with_powershell_script_block.yml @@ -14,12 +14,12 @@ known_false_positives: Administrators or power users may use this command for tr references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainUser/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/get_foresttrust_with_powershell.yml b/detections/endpoint/get_foresttrust_with_powershell.yml index 5340c28dd3..6630dcef06 100644 --- a/detections/endpoint/get_foresttrust_with_powershell.yml +++ b/detections/endpoint/get_foresttrust_with_powershell.yml @@ -16,12 +16,12 @@ known_false_positives: Limited false positives as this requires an active Admini references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestTrust/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/get_foresttrust_with_powershell_script_block.yml b/detections/endpoint/get_foresttrust_with_powershell_script_block.yml index c1a77c3c8a..628748f9ad 100644 --- a/detections/endpoint/get_foresttrust_with_powershell_script_block.yml +++ b/detections/endpoint/get_foresttrust_with_powershell_script_block.yml @@ -15,12 +15,12 @@ references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestTrust/ - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/get_wmiobject_group_discovery.yml b/detections/endpoint/get_wmiobject_group_discovery.yml index b0b2d97b57..47d25afbcd 100644 --- a/detections/endpoint/get_wmiobject_group_discovery.yml +++ b/detections/endpoint/get_wmiobject_group_discovery.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the use of the `Get-WMIObject Win32_Group` - command executed via PowerShell to enumerate local groups on an endpoint. This detection - leverages data from Endpoint Detection and Response (EDR) agents, focusing on process - names and command-line executions. Identifying local groups can be a precursor to - privilege escalation or lateral movement. If confirmed malicious, this activity - could allow an attacker to map out group memberships, aiding in further exploitation - or unauthorized access to sensitive resources. +description: The following analytic detects the use of the `Get-WMIObject Win32_Group` command executed via PowerShell to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Identifying local groups can be a precursor to privilege escalation or lateral movement. If confirmed malicious, this activity could allow an attacker to map out group memberships, aiding in further exploitation or unauthorized access to sensitive resources. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe - OR processes.process_name=cmd.exe) (Processes.process="*Get-WMIObject*" AND Processes.process="*Win32_Group*") - by Processes.dest Processes.user Processes.parent_process_name Processes.process_name - Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | - `get_wmiobject_group_discovery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR processes.process_name=cmd.exe) (Processes.process="*Get-WMIObject*" AND Processes.process="*Win32_Group*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: False positives may be present. Tune as needed. references: - https://attack.mitre.org/techniques/T1069/001/ @@ -77,7 +57,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml b/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml index 7e4008aa1d..8ddbc70e57 100644 --- a/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml +++ b/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml @@ -5,22 +5,11 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: 'The following analytic detects the execution of the `Get-WMIObject Win32_Group` - command using PowerShell Script Block Logging (EventCode=4104). This method captures - the full command sent to PowerShell, allowing for detailed analysis. Identifying - group information on an endpoint is not inherently malicious but can be suspicious - based on context such as time, endpoint, and user. This activity is significant - as it may indicate reconnaissance efforts by an attacker. If confirmed malicious, - it could lead to further enumeration and potential lateral movement within the network.' +description: The following analytic detects the execution of the `Get-WMIObject Win32_Group` command using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed analysis. Identifying group information on an endpoint is not inherently malicious but can be suspicious based on context such as time, endpoint, and user. This activity is significant as it may indicate reconnaissance efforts by an attacker. If confirmed malicious, it could lead to further enumeration and potential lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-WMIObject*" AND ScriptBlockText - = "*Win32_Group*" | stats count min(_time) as firstTime max(_time) as lastTime by - EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_with_script_block_logging_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-WMIObject*" AND ScriptBlockText = "*Win32_Group*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_with_script_block_logging_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: False positives may be present. Tune as needed. references: - https://www.splunk.com/en_us/blog/security/powershell-detections-threat-research-release-august-2021.html @@ -63,7 +52,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-powershell-xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getadcomputer_with_powershell.yml b/detections/endpoint/getadcomputer_with_powershell.yml index e4d948611e..0709b3e36c 100644 --- a/detections/endpoint/getadcomputer_with_powershell.yml +++ b/detections/endpoint/getadcomputer_with_powershell.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `powershell.exe` with - the `Get-AdComputer` commandlet, which is used to discover remote systems within - a domain. This detection leverages data from Endpoint Detection and Response (EDR) - agents, focusing on process names and command-line arguments. This activity is significant - because it indicates potential reconnaissance efforts by adversaries to map out - domain computers, which is a common step in the attack lifecycle. If confirmed malicious, - this behavior could allow attackers to gain situational awareness and plan further - attacks, potentially leading to unauthorized access and data exfiltration. +description: The following analytic detects the execution of `powershell.exe` with the `Get-AdComputer` commandlet, which is used to discover remote systems within a domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it indicates potential reconnaissance efforts by adversaries to map out domain computers, which is a common step in the attack lifecycle. If confirmed malicious, this behavior could allow attackers to gain situational awareness and plan further attacks, potentially leading to unauthorized access and data exfiltration. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") - (Processes.process=*Get-AdComputer*) by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `getadcomputer_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-AdComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadcomputer_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ @@ -70,7 +50,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getadcomputer_with_powershell_script_block.yml b/detections/endpoint/getadcomputer_with_powershell_script_block.yml index 3bae2a8c5d..e0789d5ff9 100644 --- a/detections/endpoint/getadcomputer_with_powershell_script_block.yml +++ b/detections/endpoint/getadcomputer_with_powershell_script_block.yml @@ -5,24 +5,12 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `Get-AdComputer` - PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This - detection leverages script block text to identify when this commandlet is run. The - `Get-AdComputer` commandlet is significant as it can be used by adversaries to enumerate - all domain computers, aiding in situational awareness and Active Directory discovery. - If confirmed malicious, this activity could allow attackers to map the network, - identify targets, and plan further attacks, potentially leading to unauthorized - access and data exfiltration. +description: The following analytic detects the execution of the `Get-AdComputer` PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This detection leverages script block text to identify when this commandlet is run. The `Get-AdComputer` commandlet is significant as it can be used by adversaries to enumerate all domain computers, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify targets, and plan further attacks, potentially leading to unauthorized access and data exfiltration. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-AdComputer*") | stats - count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode - ScriptBlockText | `security_content_ctime(firstTime)` | `getadcomputer_with_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use this PowerShell commandlet - for troubleshooting. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-AdComputer*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getadcomputer_with_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ - https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps @@ -58,7 +46,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getadgroup_with_powershell.yml b/detections/endpoint/getadgroup_with_powershell.yml index 7badc5c123..43a23bcc17 100644 --- a/detections/endpoint/getadgroup_with_powershell.yml +++ b/detections/endpoint/getadgroup_with_powershell.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `powershell.exe` with - the `Get-AdGroup` commandlet, which is used to query domain groups in a Windows - Domain. This detection leverages data from Endpoint Detection and Response (EDR) - agents, focusing on process names and command-line arguments. Monitoring this activity - is crucial as it may indicate an adversary or Red Team enumerating domain groups - for situational awareness and Active Directory discovery. If confirmed malicious, - this activity could lead to further reconnaissance, privilege escalation, or lateral - movement within the network. +description: The following analytic detects the execution of `powershell.exe` with the `Get-AdGroup` commandlet, which is used to query domain groups in a Windows Domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is crucial as it may indicate an adversary or Red Team enumerating domain groups for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance, privilege escalation, or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") - (Processes.process=*Get-AdGroup*) by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `getadgroup_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-AdGroup*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ @@ -72,7 +52,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getadgroup_with_powershell_script_block.yml b/detections/endpoint/getadgroup_with_powershell_script_block.yml index cd7ed788b8..fbb3a8aae3 100644 --- a/detections/endpoint/getadgroup_with_powershell_script_block.yml +++ b/detections/endpoint/getadgroup_with_powershell_script_block.yml @@ -5,24 +5,12 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `Get-AdGroup` PowerShell - cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is used - to enumerate all domain groups, which adversaries may exploit for situational awareness - and Active Directory discovery. Monitoring this activity is crucial as it can indicate - reconnaissance efforts within the network. If confirmed malicious, this behavior - could lead to further exploitation, such as privilege escalation or lateral movement, - by providing attackers with detailed information about the domain's group structure. +description: The following analytic detects the execution of the `Get-AdGroup` PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate all domain groups, which adversaries may exploit for situational awareness and Active Directory discovery. Monitoring this activity is crucial as it can indicate reconnaissance efforts within the network. If confirmed malicious, this behavior could lead to further exploitation, such as privilege escalation or lateral movement, by providing attackers with detailed information about the domain's group structure. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-ADGroup*" | stats count - min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer - UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use this PowerShell commandlet - for troubleshooting. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-ADGroup*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/002/ - https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps @@ -56,7 +44,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getcurrent_user_with_powershell.yml b/detections/endpoint/getcurrent_user_with_powershell.yml index b6d4d4ed3d..ce68940054 100644 --- a/detections/endpoint/getcurrent_user_with_powershell.yml +++ b/detections/endpoint/getcurrent_user_with_powershell.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `powershell.exe` with - command-line arguments invoking the `GetCurrent` method of the WindowsIdentity .NET - class. This detection leverages data from Endpoint Detection and Response (EDR) - agents, focusing on process names and command-line executions. This activity is - significant as adversaries may use this method to identify the logged-in user on - a compromised endpoint, aiding in situational awareness and Active Directory discovery. - If confirmed malicious, this could allow attackers to gain insights into user context, - potentially facilitating further exploitation and lateral movement within the network. +description: The following analytic detects the execution of `powershell.exe` with command-line arguments invoking the `GetCurrent` method of the WindowsIdentity .NET class. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use this method to identify the logged-in user on a compromised endpoint, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this could allow attackers to gain insights into user context, potentially facilitating further exploitation and lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") - (Processes.process=*System.Security.Principal.WindowsIdentity* OR Processes.process=*GetCurrent()*) - by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*System.Security.Principal.WindowsIdentity* OR Processes.process=*GetCurrent()*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ @@ -71,7 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getcurrent_user_with_powershell_script_block.yml b/detections/endpoint/getcurrent_user_with_powershell_script_block.yml index 42196bffd5..e3fd1c28ce 100644 --- a/detections/endpoint/getcurrent_user_with_powershell_script_block.yml +++ b/detections/endpoint/getcurrent_user_with_powershell_script_block.yml @@ -5,26 +5,12 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `GetCurrent` method - from the WindowsIdentity .NET class using PowerShell Script Block Logging (EventCode=4104). - This method identifies the current Windows user. The detection leverages PowerShell - script block logs to identify when this method is called. This activity is significant - because adversaries and Red Teams may use it to gain situational awareness and perform - Active Directory discovery on compromised endpoints. If confirmed malicious, this - could allow attackers to map out user accounts and potentially escalate privileges - or move laterally within the network. +description: The following analytic detects the execution of the `GetCurrent` method from the WindowsIdentity .NET class using PowerShell Script Block Logging (EventCode=4104). This method identifies the current Windows user. The detection leverages PowerShell script block logs to identify when this method is called. This activity is significant because adversaries and Red Teams may use it to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this could allow attackers to map out user accounts and potentially escalate privileges or move laterally within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*[System.Security.Principal.WindowsIdentity]*" ScriptBlockText - = "*GetCurrent()*" | stats count min(_time) as firstTime max(_time) as lastTime - by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as - user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `getcurrent_user_with_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use this PowerShell commandlet - for troubleshooting. +search: '`powershell` EventCode=4104 ScriptBlockText = "*[System.Security.Principal.WindowsIdentity]*" ScriptBlockText = "*GetCurrent()*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ - https://docs.microsoft.com/en-us/dotnet/api/system.security.principal.windowsidentity.getcurrent?view=net-6.0&viewFallbackFrom=net-5.0 @@ -59,7 +45,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getdomaincomputer_with_powershell.yml b/detections/endpoint/getdomaincomputer_with_powershell.yml index bc80dab7cd..64a1d96544 100644 --- a/detections/endpoint/getdomaincomputer_with_powershell.yml +++ b/detections/endpoint/getdomaincomputer_with_powershell.yml @@ -16,12 +16,12 @@ known_false_positives: Administrators or power users may use PowerView for troub references: - https://attack.mitre.org/techniques/T1018/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml b/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml index 775ed3ebb9..bb1685ce36 100644 --- a/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml +++ b/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1018/ - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainComputer/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/getdomaincontroller_with_powershell.yml b/detections/endpoint/getdomaincontroller_with_powershell.yml index 1f92a606ff..0bf984e0a3 100644 --- a/detections/endpoint/getdomaincontroller_with_powershell.yml +++ b/detections/endpoint/getdomaincontroller_with_powershell.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `powershell.exe` with - the `Get-DomainController` command, which is used to discover remote systems within - a Windows domain. This detection leverages data from Endpoint Detection and Response - (EDR) agents, focusing on process names and command-line arguments. Monitoring this - activity is crucial as it may indicate an attempt to enumerate domain controllers, - a common tactic in Active Directory discovery. If confirmed malicious, this activity - could allow attackers to gain situational awareness, potentially leading to further - exploitation and lateral movement within the network. +description: The following analytic detects the execution of `powershell.exe` with the `Get-DomainController` command, which is used to discover remote systems within a Windows domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is crucial as it may indicate an attempt to enumerate domain controllers, a common tactic in Active Directory discovery. If confirmed malicious, this activity could allow attackers to gain situational awareness, potentially leading to further exploitation and lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") - (Processes.process=*Get-DomainController*) by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `getdomaincontroller_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-DomainController*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincontroller_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use PowerView for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ @@ -71,7 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml b/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml index 18c7d9f098..bebf9e0a84 100644 --- a/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml +++ b/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1018/ - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainController/ drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/getdomaingroup_with_powershell.yml b/detections/endpoint/getdomaingroup_with_powershell.yml index 944dae77f9..a29fe2c2ef 100644 --- a/detections/endpoint/getdomaingroup_with_powershell.yml +++ b/detections/endpoint/getdomaingroup_with_powershell.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1069/002/ - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroup/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/getdomaingroup_with_powershell_script_block.yml b/detections/endpoint/getdomaingroup_with_powershell_script_block.yml index 757b35d99e..862f2ca496 100644 --- a/detections/endpoint/getdomaingroup_with_powershell_script_block.yml +++ b/detections/endpoint/getdomaingroup_with_powershell_script_block.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1069/002/ - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroup/ drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/getlocaluser_with_powershell.yml b/detections/endpoint/getlocaluser_with_powershell.yml index cfbffce694..8b38153004 100644 --- a/detections/endpoint/getlocaluser_with_powershell.yml +++ b/detections/endpoint/getlocaluser_with_powershell.yml @@ -5,35 +5,14 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `powershell.exe` with - the `Get-LocalUser` commandlet, which is used to query local user accounts. This - detection leverages data from Endpoint Detection and Response (EDR) agents, focusing - on process names and command-line arguments. Monitoring this activity is significant - because adversaries and Red Teams may use it to enumerate local users for situational - awareness and Active Directory discovery. If confirmed malicious, this activity - could allow attackers to identify potential targets for further exploitation or - privilege escalation within the environment. +description: The following analytic detects the execution of `powershell.exe` with the `Get-LocalUser` commandlet, which is used to query local user accounts. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is significant because adversaries and Red Teams may use it to enumerate local users for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to identify potential targets for further exploitation or privilege escalation within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") - (Processes.process=*Get-LocalUser*) by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `getlocaluser_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Administrators or power users may use this PowerShell commandlet - for troubleshooting. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-LocalUser*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. references: - https://attack.mitre.org/techniques/T1087/001/ tags: @@ -62,7 +41,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getlocaluser_with_powershell_script_block.yml b/detections/endpoint/getlocaluser_with_powershell_script_block.yml index bf2606e743..8783ab1097 100644 --- a/detections/endpoint/getlocaluser_with_powershell_script_block.yml +++ b/detections/endpoint/getlocaluser_with_powershell_script_block.yml @@ -5,25 +5,12 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `Get-LocalUser` PowerShell - commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet - lists all local users on a system. The detection leverages script block text from - PowerShell logs to identify this activity. Monitoring this behavior is significant - as adversaries and Red Teams may use it to enumerate local users for situational - awareness and Active Directory discovery. If confirmed malicious, this activity - could lead to further reconnaissance, enabling attackers to identify potential targets - for privilege escalation or lateral movement. +description: The following analytic detects the execution of the `Get-LocalUser` PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet lists all local users on a system. The detection leverages script block text from PowerShell logs to identify this activity. Monitoring this behavior is significant as adversaries and Red Teams may use it to enumerate local users for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance, enabling attackers to identify potential targets for privilege escalation or lateral movement. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-LocalUser*") | stats - count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText - Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `getlocaluser_with_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use this PowerShell commandlet - for troubleshooting. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-LocalUser*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. references: - https://attack.mitre.org/techniques/T1087/001/ - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html @@ -59,7 +46,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-powershell-xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getnettcpconnection_with_powershell.yml b/detections/endpoint/getnettcpconnection_with_powershell.yml index bd5015001c..aa2bb7d679 100644 --- a/detections/endpoint/getnettcpconnection_with_powershell.yml +++ b/detections/endpoint/getnettcpconnection_with_powershell.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies the execution of `powershell.exe` with - the `Get-NetTcpConnection` command, which lists current TCP connections on a system. - This detection leverages data from Endpoint Detection and Response (EDR) agents, - focusing on process names and command-line executions. Monitoring this activity - is significant as it may indicate an adversary or Red Team performing network reconnaissance - or situational awareness. If confirmed malicious, this activity could allow attackers - to map network connections, aiding in lateral movement or further exploitation within - the network. +description: The following analytic identifies the execution of `powershell.exe` with the `Get-NetTcpConnection` command, which lists current TCP connections on a system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is significant as it may indicate an adversary or Red Team performing network reconnaissance or situational awareness. If confirmed malicious, this activity could allow attackers to map network connections, aiding in lateral movement or further exploitation within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") - (Processes.process=*Get-NetTcpConnection*) by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `getnettcpconnection_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-NetTcpConnection*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getnettcpconnection_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1049/ @@ -71,7 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml b/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml index ff68411266..799317709a 100644 --- a/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml +++ b/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml @@ -5,24 +5,12 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `Get-NetTcpconnection` - PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet - lists network connections on a system, which adversaries may use for situational - awareness and Active Directory discovery. Monitoring this activity is crucial as - it can indicate reconnaissance efforts by an attacker. If confirmed malicious, this - behavior could allow an attacker to map the network, identify critical systems, - and plan further attacks, potentially leading to data exfiltration or lateral movement - within the network. +description: The following analytic detects the execution of the `Get-NetTcpconnection` PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet lists network connections on a system, which adversaries may use for situational awareness and Active Directory discovery. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker. If confirmed malicious, this behavior could allow an attacker to map the network, identify critical systems, and plan further attacks, potentially leading to data exfiltration or lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-NetTcpconnection*") - | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer - UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getnettcpconnection_with_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use this PowerShell commandlet - for troubleshooting. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-NetTcpconnection*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getnettcpconnection_with_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. references: - https://attack.mitre.org/techniques/T1049/ - https://docs.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2019-ps @@ -56,7 +44,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/nettcpconnection.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/nettcpconnection.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml index fcdeb9931a..bc2cbd76f7 100644 --- a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml @@ -16,12 +16,12 @@ known_false_positives: Administrators or power users may use this command for tr references: - https://attack.mitre.org/techniques/T1018/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml index 0a1d018890..2c2a6a799e 100644 --- a/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1018/ - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1 drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml index ac17f4ac37..7b57b3aca3 100644 --- a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1069/002/ - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml index 54abc50426..89c0311466 100644 --- a/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1069/002/ - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml index b63f286285..ff815d99d1 100644 --- a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml @@ -16,12 +16,12 @@ known_false_positives: Administrators or power users may use this command for tr references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/dsquery.htm drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml index fdf2ee381a..29572b31cc 100644 --- a/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml @@ -15,12 +15,12 @@ references: - https://www.blackhillsinfosec.com/red-blue-purple/ - https://docs.microsoft.com/en-us/windows/win32/wmisdk/describing-the-ldap-namespace drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/getwmiobject_user_account_with_powershell.yml b/detections/endpoint/getwmiobject_user_account_with_powershell.yml index 93d09aaa69..402fefd94a 100644 --- a/detections/endpoint/getwmiobject_user_account_with_powershell.yml +++ b/detections/endpoint/getwmiobject_user_account_with_powershell.yml @@ -5,35 +5,14 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `powershell.exe` with - command-line arguments that utilize the `Get-WmiObject` cmdlet and the `Win32_UserAccount` - parameter to query local user accounts. It leverages data from Endpoint Detection - and Response (EDR) agents, focusing on process names and command-line executions. - This activity is significant as it may indicate an attempt by adversaries to enumerate - user accounts for situational awareness or Active Directory discovery. If confirmed - malicious, this behavior could lead to further reconnaissance, privilege escalation, - or lateral movement within the network. +description: The following analytic detects the execution of `powershell.exe` with command-line arguments that utilize the `Get-WmiObject` cmdlet and the `Win32_UserAccount` parameter to query local user accounts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to enumerate user accounts for situational awareness or Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, privilege escalation, or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") - (Processes.process=*Get-WmiObject* AND Processes.process=*Win32_UserAccount*) by - Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process - Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_user_account_with_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Administrators or power users may use this PowerShell commandlet - for troubleshooting. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-WmiObject* AND Processes.process=*Win32_UserAccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_user_account_with_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. references: - https://attack.mitre.org/techniques/T1087/001/ tags: @@ -63,7 +42,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml index 79510a67c8..4e1aa8ad65 100644 --- a/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml @@ -5,23 +5,12 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `Get-WmiObject` commandlet - with the `Win32_UserAccount` parameter via PowerShell Script Block Logging (EventCode=4104). - This method leverages script block text to identify when a list of all local users - is being enumerated. This activity is significant as it may indicate an adversary - or Red Team operation attempting to gather user information for situational awareness - and Active Directory discovery. If confirmed malicious, this could lead to further - reconnaissance, privilege escalation, or lateral movement within the network. +description: The following analytic detects the execution of the `Get-WmiObject` commandlet with the `Win32_UserAccount` parameter via PowerShell Script Block Logging (EventCode=4104). This method leverages script block text to identify when a list of all local users is being enumerated. This activity is significant as it may indicate an adversary or Red Team operation attempting to gather user information for situational awareness and Active Directory discovery. If confirmed malicious, this could lead to further reconnaissance, privilege escalation, or lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText="*Get-WmiObject*" AND ScriptBlockText="*Win32_UserAccount*") - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText - Computer UserID | `security_content_ctime(firstTime)` | `getwmiobject_user_account_with_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use this PowerShell commandlet - for troubleshooting. +search: '`powershell` EventCode=4104 (ScriptBlockText="*Get-WmiObject*" AND ScriptBlockText="*Win32_UserAccount*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `getwmiobject_user_account_with_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. references: - https://attack.mitre.org/techniques/T1087/001/ - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html @@ -58,7 +47,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml index b432f23a72..38dcf715b3 100644 --- a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml @@ -15,12 +15,12 @@ references: - https://raw.githubusercontent.com/xx0hcd/Malleable-C2-Profiles/0ef8cf4556e26f6d4190c56ba697c2159faa5822/crimeware/trick_ryuk.profile - https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml index 81f3b070c4..20e425a60e 100644 --- a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml +++ b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml @@ -17,12 +17,12 @@ references: - https://mockbin.org/ - https://www.mocky.io/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/headless_browser_usage.yml b/detections/endpoint/headless_browser_usage.yml index 40081f3ce4..2c3003632a 100644 --- a/detections/endpoint/headless_browser_usage.yml +++ b/detections/endpoint/headless_browser_usage.yml @@ -9,28 +9,10 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: 'The following analytic detects the usage of headless browsers within - an organization. It identifies processes containing the "--headless" and "--disable-gpu" - command line arguments, which are indicative of headless browsing. This detection - leverages data from the Endpoint.Processes datamodel to identify such processes. - Monitoring headless browser usage is significant as these tools can be exploited - by adversaries for malicious activities like web scraping, automated testing, and - undetected web interactions. If confirmed malicious, this activity could lead to - unauthorized data extraction, automated attacks, or other covert operations on web - applications.' -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process="*--headless*" - AND Processes.process="*--disable-gpu*") by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `headless_browser_usage_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: This hunting analytic is meant to assist with baselining and - understanding headless browsing in use. Filter as needed. +description: The following analytic detects the usage of headless browsers within an organization. It identifies processes containing the "--headless" and "--disable-gpu" command line arguments, which are indicative of headless browsing. This detection leverages data from the Endpoint.Processes datamodel to identify such processes. Monitoring headless browser usage is significant as these tools can be exploited by adversaries for malicious activities like web scraping, automated testing, and undetected web interactions. If confirmed malicious, this activity could lead to unauthorized data extraction, automated attacks, or other covert operations on web applications. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*--headless*" AND Processes.process="*--disable-gpu*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `headless_browser_usage_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +known_false_positives: This hunting analytic is meant to assist with baselining and understanding headless browsing in use. Filter as needed. references: - https://cert.gov.ua/article/5702579 tags: @@ -70,7 +52,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/headlessbrowser/headless_mockbin.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/headlessbrowser/headless_mockbin.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/hide_user_account_from_sign_in_screen.yml b/detections/endpoint/hide_user_account_from_sign_in_screen.yml index 13c053ea04..400a9a755f 100644 --- a/detections/endpoint/hide_user_account_from_sign_in_screen.yml +++ b/detections/endpoint/hide_user_account_from_sign_in_screen.yml @@ -15,12 +15,12 @@ known_false_positives: Unknown. Filter as needed. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml index bc94d23018..53680b5454 100644 --- a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml +++ b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml @@ -15,12 +15,12 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: Some applications and users may legitimately use attrib.exe to interact with the files. references: [] drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml b/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml index 72083d00ee..40456bc74e 100644 --- a/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml +++ b/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml @@ -14,12 +14,12 @@ known_false_positives: This behavior may seen in normal transfer of file within references: - https://attack.mitre.org/techniques/T1537/ drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/high_process_termination_frequency.yml b/detections/endpoint/high_process_termination_frequency.yml index 3b9e14b432..d9018a2741 100644 --- a/detections/endpoint/high_process_termination_frequency.yml +++ b/detections/endpoint/high_process_termination_frequency.yml @@ -15,12 +15,12 @@ references: - https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft - https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/hunting_3cxdesktopapp_software.yml b/detections/endpoint/hunting_3cxdesktopapp_software.yml index 84a6987a7f..fb75fc0106 100644 --- a/detections/endpoint/hunting_3cxdesktopapp_software.yml +++ b/detections/endpoint/hunting_3cxdesktopapp_software.yml @@ -9,31 +9,10 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the presence of any version of the 3CXDesktopApp, - also known as the 3CX Desktop App, on Mac or Windows systems. It leverages the Endpoint - data model's Processes node to identify instances of the application running, although - it does not provide file version information. This activity is significant because - 3CX has identified vulnerabilities in versions 18.12.407 and 18.12.416, which could - be exploited by attackers. If confirmed malicious, this could lead to unauthorized - access, data exfiltration, or further compromise of the affected systems. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name=3CXDesktopApp.exe - OR Processes.process_name="3CX Desktop App" by Processes.dest Processes.user Processes.parent_process_name - Processes.process_name Processes.original_file_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `hunting_3cxdesktopapp_software_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: There may be false positives generated due to the reliance - on version numbers for identification purposes. Despite this limitation, the primary - goal of this approach is to aid in the detection of the software within the environment. +description: The following analytic detects the presence of any version of the 3CXDesktopApp, also known as the 3CX Desktop App, on Mac or Windows systems. It leverages the Endpoint data model's Processes node to identify instances of the application running, although it does not provide file version information. This activity is significant because 3CX has identified vulnerabilities in versions 18.12.407 and 18.12.416, which could be exploited by attackers. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the affected systems. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=3CXDesktopApp.exe OR Processes.process_name="3CX Desktop App" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hunting_3cxdesktopapp_software_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: There may be false positives generated due to the reliance on version numbers for identification purposes. Despite this limitation, the primary goal of this approach is to aid in the detection of the software within the environment. references: - https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ - https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp @@ -82,7 +61,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/icacls_deny_command.yml b/detections/endpoint/icacls_deny_command.yml index 21841a03a4..bee4629890 100644 --- a/detections/endpoint/icacls_deny_command.yml +++ b/detections/endpoint/icacls_deny_command.yml @@ -16,12 +16,12 @@ known_false_positives: Unknown. It is possible some administrative scripts use I references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/icacls_grant_command.yml b/detections/endpoint/icacls_grant_command.yml index 71778b1d11..127d0b98f6 100644 --- a/detections/endpoint/icacls_grant_command.yml +++ b/detections/endpoint/icacls_grant_command.yml @@ -16,12 +16,12 @@ known_false_positives: Unknown. Filter as needed. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml index 9fde20f87e..a674ae77d6 100644 --- a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml +++ b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml @@ -5,26 +5,13 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the creation of suspicious files named - passff.tar and cookie.tar, which are indicative of archived stolen browser information - such as history and cookies on a machine compromised with IcedID. It leverages Sysmon - EventCode 11 to identify these specific filenames. This activity is significant - because it suggests that sensitive browser data has been exfiltrated, which could - lead to further exploitation or data breaches. If confirmed malicious, this could - allow attackers to access personal information, conduct further phishing attacks, - or escalate their presence within the network. +description: The following analytic detects the creation of suspicious files named passff.tar and cookie.tar, which are indicative of archived stolen browser information such as history and cookies on a machine compromised with IcedID. It leverages Sysmon EventCode 11 to identify these specific filenames. This activity is significant because it suggests that sensitive browser data has been exfiltrated, which could lead to further exploitation or data breaches. If confirmed malicious, this could allow attackers to access personal information, conduct further phishing attacks, or escalate their presence within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '`sysmon` EventCode= 11 (TargetFilename = "*\\passff.tar" OR TargetFilename - = "*\\cookie.tar") |stats count min(_time) as firstTime max(_time) as lastTime by - TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `icedid_exfiltrated_archived_file_creation_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +search: '`sysmon` EventCode= 11 (TargetFilename = "*\\passff.tar" OR TargetFilename = "*\\cookie.tar") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icedid_exfiltrated_archived_file_creation_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: unknown references: - https://www.cisecurity.org/insights/white-papers/security-primer-icedid @@ -63,7 +50,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml index 2b6d6feda7..010d0697a6 100644 --- a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml @@ -24,12 +24,12 @@ references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml index bf7e0f5bdc..a45a3d10e5 100644 --- a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml @@ -24,12 +24,12 @@ references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml index 5dabad6171..38c7f924c7 100644 --- a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml @@ -24,12 +24,12 @@ references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml b/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml index 564b7f8c00..63ca5aac2a 100644 --- a/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml +++ b/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1021/006/ - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enter-pssession?view=powershell-7.2 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/java_class_file_download_by_java_user_agent.yml b/detections/endpoint/java_class_file_download_by_java_user_agent.yml index 8e88b3560e..b1d9185b03 100644 --- a/detections/endpoint/java_class_file_download_by_java_user_agent.yml +++ b/detections/endpoint/java_class_file_download_by_java_user_agent.yml @@ -14,12 +14,12 @@ known_false_positives: Filtering may be required in some instances, filter as ne references: - https://arstechnica.com/information-technology/2021/12/as-log4shell-wreaks-havoc-payroll-service-reports-ransomware-attack/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/java_writing_jsp_file.yml b/detections/endpoint/java_writing_jsp_file.yml index a7fa69aa9b..283304bac3 100644 --- a/detections/endpoint/java_writing_jsp_file.yml +++ b/detections/endpoint/java_writing_jsp_file.yml @@ -16,12 +16,12 @@ references: - https://github.com/TheGejr/SpringShell - https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/jscript_execution_using_cscript_app.yml b/detections/endpoint/jscript_execution_using_cscript_app.yml index f3fb461d14..dc4b4c37a8 100644 --- a/detections/endpoint/jscript_execution_using_cscript_app.yml +++ b/detections/endpoint/jscript_execution_using_cscript_app.yml @@ -17,12 +17,12 @@ references: - https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation - https://attack.mitre.org/groups/G0046/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml index 27ef472e80..7d9e0b4abc 100644 --- a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml +++ b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml @@ -15,12 +15,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/4e3e9c8096dde00639a6b98845ec349135554ed5/atomics/T1208/T1208.md - https://www.hub.trimarcsecurity.com/post/trimarc-research-detecting-kerberoasting-activity drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml index ad863ff677..ce485d7acb 100644 --- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml +++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml @@ -16,12 +16,12 @@ references: - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html - https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml index 848e055d3e..ee6f285da5 100644 --- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml +++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml @@ -16,12 +16,12 @@ references: - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html - https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml b/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml index 448a0a6796..daf6a40448 100644 --- a/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml +++ b/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml @@ -18,12 +18,12 @@ references: - https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a - https://en.hackndo.com/kerberos-silver-golden-tickets/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml b/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml index af27724e69..63dcabc878 100644 --- a/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml +++ b/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml @@ -16,12 +16,12 @@ references: - https://www.thehacker.recipes/ad/movement/kerberos/ptk - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 drilldown_searches: -- name: View the detection results for $src_ip$ - search: '%original_detection_search% | search src_ip = $src_ip$' +- name: View the detection results for - "$src_ip$" + search: '%original_detection_search% | search src_ip = "$src_ip$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_ip$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_ip$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_ip$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/kerberos_user_enumeration.yml b/detections/endpoint/kerberos_user_enumeration.yml index ad43eaeeec..d8b386f4a2 100644 --- a/detections/endpoint/kerberos_user_enumeration.yml +++ b/detections/endpoint/kerberos_user_enumeration.yml @@ -16,12 +16,12 @@ references: - https://attack.mitre.org/techniques/T1589/002/ - https://redsiege.com/tools-techniques/2020/04/user-enumeration-part-3-windows/ drilldown_searches: -- name: View the detection results for $src_ip$ - search: '%original_detection_search% | search src_ip = $src_ip$' +- name: View the detection results for - "$src_ip$" + search: '%original_detection_search% | search src_ip = "$src_ip$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_ip$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_ip$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_ip$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/known_services_killed_by_ransomware.yml b/detections/endpoint/known_services_killed_by_ransomware.yml index 1e7702e009..6db1615d1c 100644 --- a/detections/endpoint/known_services_killed_by_ransomware.yml +++ b/detections/endpoint/known_services_killed_by_ransomware.yml @@ -17,12 +17,12 @@ references: - https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/ - https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml b/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml index 89a4f1c40e..ead82abba3 100644 --- a/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml +++ b/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can execute this comman references: - https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml index ebe58ff7a8..c8e8d9de04 100644 --- a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml +++ b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml @@ -15,12 +15,12 @@ references: - https://www.sandflysecurity.com/blog/detecting-cronrat-malware-on-linux-instantly/ - https://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_add_user_account.yml b/detections/endpoint/linux_add_user_account.yml index 7b1bbe1770..33840facfb 100644 --- a/detections/endpoint/linux_add_user_account.yml +++ b/detections/endpoint/linux_add_user_account.yml @@ -5,32 +5,12 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the creation of new user accounts on Linux - systems using commands like "useradd" or "adduser." It leverages data from Endpoint - Detection and Response (EDR) agents, focusing on process names and command-line - executions. This activity is significant as adversaries often create new user accounts - to establish persistence on compromised hosts. If confirmed malicious, this could - allow attackers to maintain access, escalate privileges, and further compromise - the system, posing a severe security risk. +description: The following analytic detects the creation of new user accounts on Linux systems using commands like "useradd" or "adduser." It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries often create new user accounts to establish persistence on compromised hosts. If confirmed malicious, this could allow attackers to maintain access, escalate privileges, and further compromise the system, posing a severe security risk. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes - where Processes.process_name IN ("useradd", "adduser") OR Processes.process IN ("*useradd - *", "*adduser *") by Processes.dest Processes.user Processes.parent_process_name - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `linux_add_user_account_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Administrator or network operator can execute this command. - Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN ("useradd", "adduser") OR Processes.process IN ("*useradd *", "*adduser *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_add_user_account_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/ tags: @@ -67,7 +47,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_adduser/sysmon_linux.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_adduser/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml index 93e4c843e5..336fefcd17 100644 --- a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml +++ b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml @@ -5,33 +5,12 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects suspicious modifications to cron jobs - on Linux systems using the crontab command with list parameters. It leverages data - from Endpoint Detection and Response (EDR) agents, focusing on process names and - command-line executions. This activity is significant as it may indicate an attempt - to establish persistence or execute malicious code on a schedule. If confirmed malicious, - the impact could include unauthorized code execution, data destruction, or other - damaging outcomes. Further investigation should analyze the added cron job, its - associated command, and any related processes. +description: The following analytic detects suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt to establish persistence or execute malicious code on a schedule. If confirmed malicious, the impact could include unauthorized code execution, data destruction, or other damaging outcomes. Further investigation should analyze the added cron job, its associated command, and any related processes. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "crontab" - Processes.process= "* -l*" by Processes.parent_process_name Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id Processes.dest - Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `linux_adding_crontab_using_list_parameter_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Administrator or network operator can use this application - for automation purposes. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "crontab" Processes.process= "* -l*" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_adding_crontab_using_list_parameter_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://cert.gov.ua/article/39518 @@ -74,7 +53,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_list_parameter/sysmon_linux.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_list_parameter/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_apt_get_privilege_escalation.yml b/detections/endpoint/linux_apt_get_privilege_escalation.yml index 42d832d87a..acdb068472 100644 --- a/detections/endpoint/linux_apt_get_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_get_privilege_escalation.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/apt-get/ - https://phoenixnap.com/kb/how-to-use-apt-get-commands drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_apt_privilege_escalation.yml b/detections/endpoint/linux_apt_privilege_escalation.yml index 41689523a9..47211d30dd 100644 --- a/detections/endpoint/linux_apt_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_privilege_escalation.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/apt/ - https://www.digitalocean.com/community/tutorials/what-is-apt drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_at_allow_config_file_creation.yml b/detections/endpoint/linux_at_allow_config_file_creation.yml index 6948266027..5519e8672e 100644 --- a/detections/endpoint/linux_at_allow_config_file_creation.yml +++ b/detections/endpoint/linux_at_allow_config_file_creation.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can create this file fo references: - https://linuxize.com/post/at-command-in-linux/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_at_application_execution.yml b/detections/endpoint/linux_at_application_execution.yml index e0cc731768..90fd6f0483 100644 --- a/detections/endpoint/linux_at_application_execution.yml +++ b/detections/endpoint/linux_at_application_execution.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1053/001/ - https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_add_user_account.yml b/detections/endpoint/linux_auditd_add_user_account.yml index 21ca2cf58f..3fd4de81ce 100644 --- a/detections/endpoint/linux_auditd_add_user_account.yml +++ b/detections/endpoint/linux_auditd_add_user_account.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can execute this comman references: - https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_add_user_account_type.yml b/detections/endpoint/linux_auditd_add_user_account_type.yml index 7a5302816a..19e183e33c 100644 --- a/detections/endpoint/linux_auditd_add_user_account_type.yml +++ b/detections/endpoint/linux_auditd_add_user_account_type.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can use this applicatio references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_at_application_execution.yml b/detections/endpoint/linux_auditd_at_application_execution.yml index b59b7b88b7..e142bdd4cf 100644 --- a/detections/endpoint/linux_auditd_at_application_execution.yml +++ b/detections/endpoint/linux_auditd_at_application_execution.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1053/001/ - https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_auditd_service_stop.yml b/detections/endpoint/linux_auditd_auditd_service_stop.yml index ace7f974f3..e90f3fec26 100644 --- a/detections/endpoint/linux_auditd_auditd_service_stop.yml +++ b/detections/endpoint/linux_auditd_auditd_service_stop.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can use this applicatio references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_base64_decode_files.yml b/detections/endpoint/linux_auditd_base64_decode_files.yml index f8fc9fcde5..907eb58b78 100644 --- a/detections/endpoint/linux_auditd_base64_decode_files.yml +++ b/detections/endpoint/linux_auditd_base64_decode_files.yml @@ -15,12 +15,12 @@ references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://gtfobins.github.io/gtfobins/dd/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml index 4e7eee5eb7..3c8eba210c 100644 --- a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml @@ -8,32 +8,19 @@ type: TTP description: The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process`| rename host as - dest | where LIKE (process_exec, "%chown %root%") - | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle - normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `linux_auditd_change_file_owner_to_root_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd - data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line - executions and process details on Unix/Linux systems. These logs should be ingested - and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), - which is essential for correctly parsing and categorizing the data. The next step - involves normalizing the field names to match the field names set by the Splunk - Common Information Model (CIM) to ensure consistency across different data sources - and enhance the efficiency of data modeling. This approach enables effective monitoring - and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can execute this command. - Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process`| rename host as dest | where LIKE (process_exec, "%chown %root%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_change_file_owner_to_root_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://unix.stackexchange.com/questions/101073/how-to-change-permissions-from-root-user-to-all-users - https://askubuntu.com/questions/617850/changing-from-user-to-superuser drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_clipboard_data_copy.yml b/detections/endpoint/linux_auditd_clipboard_data_copy.yml index 3ab37e1198..8970534501 100644 --- a/detections/endpoint/linux_auditd_clipboard_data_copy.yml +++ b/detections/endpoint/linux_auditd_clipboard_data_copy.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1115/ - https://linux.die.net/man/1/xclip drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_data_destruction_command.yml b/detections/endpoint/linux_auditd_data_destruction_command.yml index 21fe1ef155..e67774b5c1 100644 --- a/detections/endpoint/linux_auditd_data_destruction_command.yml +++ b/detections/endpoint/linux_auditd_data_destruction_command.yml @@ -15,12 +15,12 @@ references: - https://cert.gov.ua/article/3718487 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml index cabe63e096..820564df65 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can use this applicatio references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml index f067c35836..9684772de3 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can use this applicatio references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml index 7931c1288f..da49b339d6 100644 --- a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml @@ -15,12 +15,12 @@ references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_dd_file_overwrite.yml b/detections/endpoint/linux_auditd_dd_file_overwrite.yml index a51b922ae5..3a60721624 100644 --- a/detections/endpoint/linux_auditd_dd_file_overwrite.yml +++ b/detections/endpoint/linux_auditd_dd_file_overwrite.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/dd/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml index 5e54e9d7ab..84510717a5 100644 --- a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml +++ b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can use this applicatio references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml index 8ca900dd63..50a5fde6ec 100644 --- a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml @@ -15,12 +15,12 @@ references: - https://wiki.gentoo.org/wiki/Doas - https://www.makeuseof.com/how-to-install-and-use-doas/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_doas_tool_execution.yml b/detections/endpoint/linux_auditd_doas_tool_execution.yml index e605b30250..934aa7c17d 100644 --- a/detections/endpoint/linux_auditd_doas_tool_execution.yml +++ b/detections/endpoint/linux_auditd_doas_tool_execution.yml @@ -15,12 +15,12 @@ references: - https://wiki.gentoo.org/wiki/Doas - https://www.makeuseof.com/how-to-install-and-use-doas/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml index a7b3076c1b..07d145ef1b 100644 --- a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can use this applicatio references: - https://attack.mitre.org/techniques/T1053/003/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml index fd08cd7e82..408246dd45 100644 --- a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml @@ -15,12 +15,12 @@ references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml index 175780d6f4..3e4d9f7bc6 100644 --- a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml +++ b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can use this applicatio references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml index c083de3b43..fbbd639de3 100644 --- a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml +++ b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can use this applicatio references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml index 776d532b91..d4897a6360 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml @@ -15,12 +15,12 @@ references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml index 58693c61cb..9adac7eebd 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml @@ -15,12 +15,12 @@ references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_find_private_keys.yml b/detections/endpoint/linux_auditd_find_private_keys.yml index 4dfcf56df8..713ccc03a2 100644 --- a/detections/endpoint/linux_auditd_find_private_keys.yml +++ b/detections/endpoint/linux_auditd_find_private_keys.yml @@ -15,12 +15,12 @@ references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml index 751c769308..03daf2d62b 100644 --- a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml +++ b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml @@ -15,12 +15,12 @@ references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml index 1517763345..b6b196b857 100644 --- a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml +++ b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml @@ -14,12 +14,12 @@ known_false_positives: administrator may disable swapping of devices in a linux references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml index 04d97fd684..f4b313e1ab 100644 --- a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml +++ b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml @@ -15,12 +15,12 @@ references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml index affa8372af..b79acba0b0 100644 --- a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml +++ b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml @@ -16,12 +16,12 @@ references: - https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup - https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml index 38e589b3c5..9751b854ce 100644 --- a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml @@ -16,12 +16,12 @@ references: - https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup - https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml index fa50d18843..e5629b19f3 100644 --- a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml +++ b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml @@ -14,12 +14,12 @@ known_false_positives: False positives are present based on automated tooling or references: - https://man7.org/linux/man-pages/man8/kmod.8.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml index dcc8a59fa4..6c4145b1ef 100644 --- a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml +++ b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can use this applicatio references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml index eeaf4585e8..37a7748495 100644 --- a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml @@ -15,12 +15,12 @@ references: - https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands - https://help.ubuntu.com/community/Sudoers drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_osquery_service_stop.yml b/detections/endpoint/linux_auditd_osquery_service_stop.yml index 921a569fa7..f8218b50a6 100644 --- a/detections/endpoint/linux_auditd_osquery_service_stop.yml +++ b/detections/endpoint/linux_auditd_osquery_service_stop.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can use this applicatio references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml index d270c902c6..5b1bb8f93a 100644 --- a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml @@ -15,12 +15,12 @@ references: - https://www.hackingarticles.in/ssh-penetration-testing-port-22/ - https://attack.mitre.org/techniques/T1098/004/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml index f6ec9af344..7a393d7dc3 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml @@ -15,12 +15,12 @@ references: - https://askubuntu.com/questions/445361/what-is-difference-between-etc-shadow-and-etc-passwd - https://attack.mitre.org/techniques/T1003/008/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml index 2f9615e033..19ab4be8f0 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1548/003/ - https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml index b0e03477ff..7d10dddeb9 100644 --- a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -5,31 +5,12 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects potential tampering with cronjob files - on a Linux system by identifying 'echo' commands that append code to existing cronjob - files. It leverages logs from Linux Auditd, focusing on process names, parent processes, and command-line executions. This activity is - significant because adversaries often use it for persistence or privilege escalation. - If confirmed malicious, this could allow attackers to execute unauthorized code - automatically, leading to system compromises and unauthorized data access, thereby - impacting business operations and data integrity. +description: The following analytic detects potential tampering with cronjob files on a Linux system by identifying 'echo' commands that append code to existing cronjob files. It leverages logs from Linux Auditd, focusing on process names, parent processes, and command-line executions. This activity is significant because adversaries often use it for persistence or privilege escalation. If confirmed malicious, this could allow attackers to execute unauthorized code automatically, leading to system compromises and unauthorized data access, thereby impacting business operations and data integrity. data_source: - Linux Auditd Path -search: '`linux_auditd` type=PATH name IN("*/etc/cron*", "*/var/spool/cron/*", "*/etc/anacrontab*") - | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime - by name nametype OGID dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| - `linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd - data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line - executions and process details on Unix/Linux systems. These logs should be ingested - and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), - which is essential for correctly parsing and categorizing the data. The next step - involves normalizing the field names to match the field names set by the Splunk - Common Information Model (CIM) to ensure consistency across different data sources - and enhance the efficiency of data modeling. This approach enables effective monitoring - and detection of linux endpoints where auditd is deployed -known_false_positives: False positives may arise from legitimate actions by administrators - or network operators who may use these commands for automation purposes. Therefore, - it's recommended to adjust filter macros to eliminate such false positives. +search: '`linux_auditd` type=PATH name IN("*/etc/cron*", "*/var/spool/cron/*", "*/etc/anacrontab*") | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +known_false_positives: False positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. Therefore, it's recommended to adjust filter macros to eliminate such false positives. references: - https://attack.mitre.org/techniques/T1053/003/ - https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability diff --git a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml index 575dbbb226..b0b87780b3 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can execute this comman references: - https://compilepeace.medium.com/memory-malware-part-0x2-writing-userland-rootkits-via-ld-preload-30121c8343d5 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml index 5747b043f3..ed9d9ff948 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can use this applicatio references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_service_restarted.yml b/detections/endpoint/linux_auditd_service_restarted.yml index 610dc69799..87bbb2e1ec 100644 --- a/detections/endpoint/linux_auditd_service_restarted.yml +++ b/detections/endpoint/linux_auditd_service_restarted.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can use this commandlin references: - https://attack.mitre.org/techniques/T1543/003/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_service_started.yml b/detections/endpoint/linux_auditd_service_started.yml index 6e0f48e8d7..127d703220 100644 --- a/detections/endpoint/linux_auditd_service_started.yml +++ b/detections/endpoint/linux_auditd_service_started.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can use this applicatio references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml index 8132d8067c..c8ade3e08d 100644 --- a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can execute this comman references: - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml index c61a8616ad..dab576f585 100644 --- a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can execute this comman references: - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_shred_overwrite_command.yml b/detections/endpoint/linux_auditd_shred_overwrite_command.yml index ac025bf2e0..21220aebad 100644 --- a/detections/endpoint/linux_auditd_shred_overwrite_command.yml +++ b/detections/endpoint/linux_auditd_shred_overwrite_command.yml @@ -15,12 +15,12 @@ references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://cert.gov.ua/article/39518 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_stop_services.yml b/detections/endpoint/linux_auditd_stop_services.yml index 62862d1e69..745186a07a 100644 --- a/detections/endpoint/linux_auditd_stop_services.yml +++ b/detections/endpoint/linux_auditd_stop_services.yml @@ -15,12 +15,12 @@ references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://cert.gov.ua/article/39518 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml index f7e291cc43..eb9bd249f1 100644 --- a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml +++ b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can execute this comman references: - https://attack.mitre.org/techniques/T1548/003/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_sysmon_service_stop.yml b/detections/endpoint/linux_auditd_sysmon_service_stop.yml index 66a82100ed..fe72f91575 100644 --- a/detections/endpoint/linux_auditd_sysmon_service_stop.yml +++ b/detections/endpoint/linux_auditd_sysmon_service_stop.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can use this applicatio references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml index 70bef76398..2aa7efb626 100644 --- a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml +++ b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can use this applicatio references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml index 2efdb5c8a0..2d75516cb6 100644 --- a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml +++ b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml @@ -15,12 +15,12 @@ references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml index ff62ceeb4e..f34589900d 100644 --- a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml +++ b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can use this applicatio references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml index b084b5b55e..cabae614c3 100644 --- a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml @@ -15,12 +15,12 @@ references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_auditd_whoami_user_discovery.yml b/detections/endpoint/linux_auditd_whoami_user_discovery.yml index 984e08351f..d2bf0d74d7 100644 --- a/detections/endpoint/linux_auditd_whoami_user_discovery.yml +++ b/detections/endpoint/linux_auditd_whoami_user_discovery.yml @@ -15,12 +15,12 @@ references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_awk_privilege_escalation.yml b/detections/endpoint/linux_awk_privilege_escalation.yml index 752ff4c57b..818dc533a5 100644 --- a/detections/endpoint/linux_awk_privilege_escalation.yml +++ b/detections/endpoint/linux_awk_privilege_escalation.yml @@ -14,12 +14,12 @@ known_false_positives: False positives are present based on automated tooling or references: - https://www.hacknos.com/awk-privilege-escalation/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_busybox_privilege_escalation.yml b/detections/endpoint/linux_busybox_privilege_escalation.yml index 8d8ee41c92..4d836fa5bb 100644 --- a/detections/endpoint/linux_busybox_privilege_escalation.yml +++ b/detections/endpoint/linux_busybox_privilege_escalation.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/busybox/ - https://man.archlinux.org/man/busybox.1.en drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_c89_privilege_escalation.yml b/detections/endpoint/linux_c89_privilege_escalation.yml index c2559a3e1a..80ebe84edf 100644 --- a/detections/endpoint/linux_c89_privilege_escalation.yml +++ b/detections/endpoint/linux_c89_privilege_escalation.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/c89/ - https://www.ibm.com/docs/en/zos/2.1.0?topic=guide-c89-compiler-invocation-using-host-environment-variables drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_c99_privilege_escalation.yml b/detections/endpoint/linux_c99_privilege_escalation.yml index 2119edcccb..54ec5b893a 100644 --- a/detections/endpoint/linux_c99_privilege_escalation.yml +++ b/detections/endpoint/linux_c99_privilege_escalation.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/c99/ - https://pubs.opengroup.org/onlinepubs/009604499/utilities/c99.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_change_file_owner_to_root.yml b/detections/endpoint/linux_change_file_owner_to_root.yml index 1e10f31c85..c9adc9f578 100644 --- a/detections/endpoint/linux_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_change_file_owner_to_root.yml @@ -15,12 +15,12 @@ references: - https://unix.stackexchange.com/questions/101073/how-to-change-permissions-from-root-user-to-all-users - https://askubuntu.com/questions/617850/changing-from-user-to-superuser drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_clipboard_data_copy.yml b/detections/endpoint/linux_clipboard_data_copy.yml index 7ebeaef3f3..8e65848fec 100644 --- a/detections/endpoint/linux_clipboard_data_copy.yml +++ b/detections/endpoint/linux_clipboard_data_copy.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1115/ - https://linux.die.net/man/1/xclip drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_common_process_for_elevation_control.yml b/detections/endpoint/linux_common_process_for_elevation_control.yml index 9335479a1e..a7a5dcea78 100644 --- a/detections/endpoint/linux_common_process_for_elevation_control.yml +++ b/detections/endpoint/linux_common_process_for_elevation_control.yml @@ -5,38 +5,12 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies the execution of common Linux processes - used for elevation control, such as `chmod`, `chown`, and `setuid`. It leverages - data from Endpoint Detection and Response (EDR) agents, focusing on process names - and command-line executions. This activity is significant because these processes - are often abused by adversaries to gain persistence or escalate privileges on compromised - hosts. If confirmed malicious, this behavior could allow attackers to modify file - attributes, change file ownership, or set user IDs, potentially leading to unauthorized - access and control over critical system resources. +description: The following analytic identifies the execution of common Linux processes used for elevation control, such as `chmod`, `chown`, and `setuid`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because these processes are often abused by adversaries to gain persistence or escalate privileges on compromised hosts. If confirmed malicious, this behavior could allow attackers to modify file attributes, change file ownership, or set user IDs, potentially leading to unauthorized access and control over critical system resources. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("chmod", - "chown", "fchmod", "fchmodat", "fchown", "fchownat", "fremovexattr", "fsetxattr", - "lchown", "lremovexattr", "lsetxattr", "removexattr", "setuid", "setgid", "setreuid", - "setregid", "chattr") OR Processes.process IN ("*chmod *", "*chown *", "*fchmod - *", "*fchmodat *", "*fchown *", "*fchownat *", "*fremovexattr *", "*fsetxattr *", - "*lchown *", "*lremovexattr *", "*lsetxattr *", "*removexattr *", "*setuid *", "*setgid - *", "*setreuid *", "*setregid *", "*setcap *", "*chattr *") by Processes.dest Processes.user - Processes.parent_process_name Processes.process_name Processes.process Processes.process_id - Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_common_process_for_elevation_control_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Administrator or network operator can execute this command. - Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("chmod", "chown", "fchmod", "fchmodat", "fchown", "fchownat", "fremovexattr", "fsetxattr", "lchown", "lremovexattr", "lsetxattr", "removexattr", "setuid", "setgid", "setreuid", "setregid", "chattr") OR Processes.process IN ("*chmod *", "*chown *", "*fchmod *", "*fchmodat *", "*fchown *", "*fchownat *", "*fremovexattr *", "*fsetxattr *", "*lchown *", "*lremovexattr *", "*lsetxattr *", "*removexattr *", "*setuid *", "*setgid *", "*setreuid *", "*setregid *", "*setcap *", "*chattr *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_common_process_for_elevation_control_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1548/001/ - https://github.com/Neo23x0/auditd/blob/master/audit.rules#L285-L297 @@ -77,7 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_composer_privilege_escalation.yml b/detections/endpoint/linux_composer_privilege_escalation.yml index 35a6711c6f..5b5b73996a 100644 --- a/detections/endpoint/linux_composer_privilege_escalation.yml +++ b/detections/endpoint/linux_composer_privilege_escalation.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/composer/ - https://getcomposer.org/doc/00-intro.md drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_cpulimit_privilege_escalation.yml b/detections/endpoint/linux_cpulimit_privilege_escalation.yml index 11eb7b86ae..41562aee25 100644 --- a/detections/endpoint/linux_cpulimit_privilege_escalation.yml +++ b/detections/endpoint/linux_cpulimit_privilege_escalation.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/cpulimit/ - http://cpulimit.sourceforge.net/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_csvtool_privilege_escalation.yml b/detections/endpoint/linux_csvtool_privilege_escalation.yml index 5e81eaa90c..0104e41822 100644 --- a/detections/endpoint/linux_csvtool_privilege_escalation.yml +++ b/detections/endpoint/linux_csvtool_privilege_escalation.yml @@ -14,12 +14,12 @@ known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/csvtool/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_curl_upload_file.yml b/detections/endpoint/linux_curl_upload_file.yml index c9f100d265..8e0e4a459f 100644 --- a/detections/endpoint/linux_curl_upload_file.yml +++ b/detections/endpoint/linux_curl_upload_file.yml @@ -16,12 +16,12 @@ references: - https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/ - https://gtfobins.github.io/gtfobins/curl/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_data_destruction_command.yml b/detections/endpoint/linux_data_destruction_command.yml index 45053a1ef0..de61188fb8 100644 --- a/detections/endpoint/linux_data_destruction_command.yml +++ b/detections/endpoint/linux_data_destruction_command.yml @@ -15,12 +15,12 @@ references: - https://cert.gov.ua/article/3718487 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_dd_file_overwrite.yml b/detections/endpoint/linux_dd_file_overwrite.yml index d46313e651..bbec4a58d0 100644 --- a/detections/endpoint/linux_dd_file_overwrite.yml +++ b/detections/endpoint/linux_dd_file_overwrite.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/dd/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_decode_base64_to_shell.yml b/detections/endpoint/linux_decode_base64_to_shell.yml index 696d66b994..98ca08285b 100644 --- a/detections/endpoint/linux_decode_base64_to_shell.yml +++ b/detections/endpoint/linux_decode_base64_to_shell.yml @@ -16,12 +16,12 @@ references: - https://redcanary.com/blog/lateral-movement-with-secure-shell/ - https://linux.die.net/man/1/base64 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml b/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml index aeb2e4fa78..b4ccc41d19 100644 --- a/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml +++ b/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml @@ -15,12 +15,12 @@ references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://cert.gov.ua/article/39518 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_deletion_of_cron_jobs.yml b/detections/endpoint/linux_deletion_of_cron_jobs.yml index 67f1814ddc..372beef4cd 100644 --- a/detections/endpoint/linux_deletion_of_cron_jobs.yml +++ b/detections/endpoint/linux_deletion_of_cron_jobs.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can execute this comman references: - https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_deletion_of_init_daemon_script.yml b/detections/endpoint/linux_deletion_of_init_daemon_script.yml index eee3f6e98b..964c68d38d 100644 --- a/detections/endpoint/linux_deletion_of_init_daemon_script.yml +++ b/detections/endpoint/linux_deletion_of_init_daemon_script.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can execute this comman references: - https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_deletion_of_services.yml b/detections/endpoint/linux_deletion_of_services.yml index 505179ab34..675a8a64f5 100644 --- a/detections/endpoint/linux_deletion_of_services.yml +++ b/detections/endpoint/linux_deletion_of_services.yml @@ -16,12 +16,12 @@ references: - https://unix.stackexchange.com/questions/224992/where-do-i-put-my-systemd-unit-file - https://cert.gov.ua/article/3718487 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_deletion_of_ssl_certificate.yml b/detections/endpoint/linux_deletion_of_ssl_certificate.yml index 6775382cce..27cfec49ed 100644 --- a/detections/endpoint/linux_deletion_of_ssl_certificate.yml +++ b/detections/endpoint/linux_deletion_of_ssl_certificate.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can execute this comman references: - https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_disable_services.yml b/detections/endpoint/linux_disable_services.yml index 32cc2d292b..6493dfe15e 100644 --- a/detections/endpoint/linux_disable_services.yml +++ b/detections/endpoint/linux_disable_services.yml @@ -15,12 +15,12 @@ references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://cert.gov.ua/article/39518 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_doas_conf_file_creation.yml b/detections/endpoint/linux_doas_conf_file_creation.yml index 3d5f6711d6..69ebf10e4d 100644 --- a/detections/endpoint/linux_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_doas_conf_file_creation.yml @@ -15,12 +15,12 @@ references: - https://wiki.gentoo.org/wiki/Doas - https://www.makeuseof.com/how-to-install-and-use-doas/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_doas_tool_execution.yml b/detections/endpoint/linux_doas_tool_execution.yml index 152d791a3e..9fbd372be8 100644 --- a/detections/endpoint/linux_doas_tool_execution.yml +++ b/detections/endpoint/linux_doas_tool_execution.yml @@ -15,12 +15,12 @@ references: - https://wiki.gentoo.org/wiki/Doas - https://www.makeuseof.com/how-to-install-and-use-doas/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_docker_privilege_escalation.yml b/detections/endpoint/linux_docker_privilege_escalation.yml index 1f0fcbf229..ab6b0d3dc4 100644 --- a/detections/endpoint/linux_docker_privilege_escalation.yml +++ b/detections/endpoint/linux_docker_privilege_escalation.yml @@ -14,12 +14,12 @@ known_false_positives: False positives are present based on automated tooling or references: - https://gtfobins.github.io/gtfobins/docker/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_edit_cron_table_parameter.yml b/detections/endpoint/linux_edit_cron_table_parameter.yml index eaf8cd2424..7d46839e16 100644 --- a/detections/endpoint/linux_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_edit_cron_table_parameter.yml @@ -5,32 +5,12 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: 'The following analytic detects the suspicious editing of cron jobs in - Linux using the crontab command-line parameter (-e). It identifies this activity - by monitoring command-line executions involving ''crontab'' and the edit parameter. - This behavior is significant for a SOC as cron job manipulations can indicate unauthorized - persistence attempts or scheduled malicious actions. If confirmed malicious, this - activity could lead to system compromise, unauthorized access, or broader network - compromise.' +description: The following analytic detects the suspicious editing of cron jobs in Linux using the crontab command-line parameter (-e). It identifies this activity by monitoring command-line executions involving 'crontab' and the edit parameter. This behavior is significant for a SOC as cron job manipulations can indicate unauthorized persistence attempts or scheduled malicious actions. If confirmed malicious, this activity could lead to system compromise, unauthorized access, or broader network compromise. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name = crontab - Processes.process = "*crontab *" Processes.process = "* -e*" by Processes.dest Processes.user - Processes.parent_process_name Processes.process_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `linux_edit_cron_table_parameter_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Administrator or network operator can use this application - for automation purposes. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = crontab Processes.process = "*crontab *" Processes.process = "* -e*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_edit_cron_table_parameter_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1053/003/ tags: @@ -69,7 +49,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_edit_parameter/sysmon_linux.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_edit_parameter/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_emacs_privilege_escalation.yml b/detections/endpoint/linux_emacs_privilege_escalation.yml index 67f2c07b4d..c44f6370a0 100644 --- a/detections/endpoint/linux_emacs_privilege_escalation.yml +++ b/detections/endpoint/linux_emacs_privilege_escalation.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/emacs/ - https://en.wikipedia.org/wiki/Emacs drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml b/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml index 8fdb4ccd6d..14976063c1 100644 --- a/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml +++ b/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml @@ -16,12 +16,12 @@ references: - https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup - https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml index 7d98c66d6c..f439334a11 100644 --- a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml +++ b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can create file in this references: - https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_file_creation_in_profile_directory.yml b/detections/endpoint/linux_file_creation_in_profile_directory.yml index a0857309b5..9c75f75660 100644 --- a/detections/endpoint/linux_file_creation_in_profile_directory.yml +++ b/detections/endpoint/linux_file_creation_in_profile_directory.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1546/004/ - https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_find_privilege_escalation.yml b/detections/endpoint/linux_find_privilege_escalation.yml index a58bedad7e..3f4af49715 100644 --- a/detections/endpoint/linux_find_privilege_escalation.yml +++ b/detections/endpoint/linux_find_privilege_escalation.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/find/ - https://en.wikipedia.org/wiki/Find_(Unix) drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_gdb_privilege_escalation.yml b/detections/endpoint/linux_gdb_privilege_escalation.yml index 972e0f077b..48a4050581 100644 --- a/detections/endpoint/linux_gdb_privilege_escalation.yml +++ b/detections/endpoint/linux_gdb_privilege_escalation.yml @@ -14,12 +14,12 @@ known_false_positives: False positives may be present, filter as needed. references: - https://gtfobins.github.io/gtfobins/gdb/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_gem_privilege_escalation.yml b/detections/endpoint/linux_gem_privilege_escalation.yml index ac24b1f2bd..89e7b80e14 100644 --- a/detections/endpoint/linux_gem_privilege_escalation.yml +++ b/detections/endpoint/linux_gem_privilege_escalation.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/gem/ - https://en.wikipedia.org/wiki/RubyGems drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml index 4cd062a970..18efeb3b06 100644 --- a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml +++ b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/gawk/ - https://www.geeksforgeeks.org/gawk-command-in-linux-with-examples/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_hardware_addition_swapoff.yml b/detections/endpoint/linux_hardware_addition_swapoff.yml index 99fd8add81..645b98b69f 100644 --- a/detections/endpoint/linux_hardware_addition_swapoff.yml +++ b/detections/endpoint/linux_hardware_addition_swapoff.yml @@ -14,12 +14,12 @@ known_false_positives: administrator may disable swapping of devices in a linux references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml b/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml index 0ff4acf877..077434def8 100644 --- a/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml +++ b/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml @@ -15,12 +15,12 @@ references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://cert.gov.ua/article/39518 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml b/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml index 8c4c1b19bc..e3b8105ac3 100644 --- a/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml +++ b/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml @@ -14,12 +14,12 @@ known_false_positives: linux package installer/uninstaller may cause this event. references: - https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_impair_defenses_process_kill.yml b/detections/endpoint/linux_impair_defenses_process_kill.yml index 8f79069e78..a4cdc259aa 100644 --- a/detections/endpoint/linux_impair_defenses_process_kill.yml +++ b/detections/endpoint/linux_impair_defenses_process_kill.yml @@ -5,33 +5,12 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies the execution of the 'pkill' command, - which is used to terminate processes on a Linux system. It leverages data from Endpoint - Detection and Response (EDR) agents, focusing on process names and command-line - executions. This activity is significant because threat actors often use 'pkill' - to disable security defenses or terminate critical processes, facilitating further - malicious actions. If confirmed malicious, this behavior could lead to the disruption - of security applications, enabling attackers to evade detection and potentially - corrupt or destroy files on the targeted system. +description: The following analytic identifies the execution of the 'pkill' command, which is used to terminate processes on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because threat actors often use 'pkill' to disable security defenses or terminate critical processes, facilitating further malicious actions. If confirmed malicious, this behavior could lead to the disruption of security applications, enabling attackers to evade detection and potentially corrupt or destroy files on the targeted system. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ( - "pgrep", "pkill") Processes.process = "*pkill *" by Processes.dest Processes.user - Processes.parent_process_name Processes.process_name Processes.process Processes.process_id - Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `linux_impair_defenses_process_kill_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: network admin can terminate a process using this linux command. - Filter is needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ( "pgrep", "pkill") Processes.process = "*pkill *" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_impair_defenses_process_kill_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: network admin can terminate a process using this linux command. Filter is needed. references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ - https://cert.gov.ua/article/3718487 @@ -42,8 +21,7 @@ tags: asset_type: Endpoint confidence: 30 impact: 30 - message: a $process_name$ tries to execute pkill commandline to terminate process - in $dest$ + message: a $process_name$ tries to execute pkill commandline to terminate process in $dest$ mitre_attack_id: - T1562.001 - T1562 @@ -74,8 +52,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_indicator_removal_clear_cache.yml b/detections/endpoint/linux_indicator_removal_clear_cache.yml index ac573d0b1d..3d4e6fe939 100644 --- a/detections/endpoint/linux_indicator_removal_clear_cache.yml +++ b/detections/endpoint/linux_indicator_removal_clear_cache.yml @@ -15,12 +15,12 @@ references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ - https://cert.gov.ua/article/3718487 drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_indicator_removal_service_file_deletion.yml b/detections/endpoint/linux_indicator_removal_service_file_deletion.yml index 71ed77c49d..e7bfe7bcba 100644 --- a/detections/endpoint/linux_indicator_removal_service_file_deletion.yml +++ b/detections/endpoint/linux_indicator_removal_service_file_deletion.yml @@ -15,12 +15,12 @@ references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ - https://cert.gov.ua/article/3718487 drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_ingress_tool_transfer_hunting.yml b/detections/endpoint/linux_ingress_tool_transfer_hunting.yml index 4dccefd193..e4324b1fc0 100644 --- a/detections/endpoint/linux_ingress_tool_transfer_hunting.yml +++ b/detections/endpoint/linux_ingress_tool_transfer_hunting.yml @@ -5,33 +5,12 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the use of 'curl' and 'wget' commands - within a Linux environment. It leverages data from Endpoint Detection and Response - (EDR) agents, focusing on process names, user information, and command-line executions. - This activity is significant as 'curl' and 'wget' are commonly used for downloading - files, which can indicate potential ingress of malicious tools. If confirmed malicious, - this activity could lead to unauthorized code execution, data exfiltration, or further - compromise of the system. Monitoring and tuning this detection helps identify and - differentiate between normal and potentially harmful usage. +description: The following analytic detects the use of 'curl' and 'wget' commands within a Linux environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, user information, and command-line executions. This activity is significant as 'curl' and 'wget' are commonly used for downloading files, which can indicate potential ingress of malicious tools. If confirmed malicious, this activity could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Monitoring and tuning this detection helps identify and differentiate between normal and potentially harmful usage. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=curl - OR Processes.process_name=wget) by Processes.dest Processes.user Processes.parent_process_name - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `linux_ingress_tool_transfer_hunting_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: False positives will be present. This query is meant to help - tune other curl and wget analytics. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=curl OR Processes.process_name=wget) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ingress_tool_transfer_hunting_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives will be present. This query is meant to help tune other curl and wget analytics. references: - https://gtfobins.github.io/gtfobins/curl/ - https://curl.se/docs/manpage.html#-I @@ -44,8 +23,7 @@ tags: asset_type: Endpoint confidence: 10 impact: 10 - message: An instance of $process_name$ was identified on endpoint $dest$ by user - $user$ utilizing curl or wget. + message: An instance of $process_name$ was identified on endpoint $dest$ by user $user$ utilizing curl or wget. mitre_attack_id: - T1105 observable: @@ -83,8 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml b/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml index 1b50afd788..d3efb99447 100644 --- a/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml +++ b/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml @@ -17,12 +17,12 @@ references: - https://gtfobins.github.io/gtfobins/curl/ - https://github.com/rapid7/metasploit-framework/search?q=curl drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml index 3d86abbfc7..e5bd62232d 100644 --- a/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml +++ b/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml @@ -16,12 +16,12 @@ references: - https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup - https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml index 8a10021d0a..5beb8ec250 100644 --- a/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml @@ -16,12 +16,12 @@ references: - https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup - https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_iptables_firewall_modification.yml b/detections/endpoint/linux_iptables_firewall_modification.yml index 53b7689e09..a4834c41fc 100644 --- a/detections/endpoint/linux_iptables_firewall_modification.yml +++ b/detections/endpoint/linux_iptables_firewall_modification.yml @@ -17,12 +17,12 @@ references: - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf - https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_java_spawning_shell.yml b/detections/endpoint/linux_java_spawning_shell.yml index 4bc433b918..f07fe010ea 100644 --- a/detections/endpoint/linux_java_spawning_shell.yml +++ b/detections/endpoint/linux_java_spawning_shell.yml @@ -15,12 +15,12 @@ references: - https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/ - https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_kernel_module_enumeration.yml b/detections/endpoint/linux_kernel_module_enumeration.yml index c7fddcb96a..6c3da70583 100644 --- a/detections/endpoint/linux_kernel_module_enumeration.yml +++ b/detections/endpoint/linux_kernel_module_enumeration.yml @@ -14,12 +14,12 @@ known_false_positives: False positives are present based on automated tooling or references: - https://man7.org/linux/man-pages/man8/kmod.8.html drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_kworker_process_in_writable_process_path.yml b/detections/endpoint/linux_kworker_process_in_writable_process_path.yml index 4ebaf96939..f113377782 100644 --- a/detections/endpoint/linux_kworker_process_in_writable_process_path.yml +++ b/detections/endpoint/linux_kworker_process_in_writable_process_path.yml @@ -7,33 +7,11 @@ status: production type: Hunting datamodel: - Endpoint -description: The following analytic detects the execution of a kworker process with - a command line in writable directories such as /home/, /var/log, and /tmp on a Linux - machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing - on process and parent process paths. This activity is significant as kworker processes - are typically kernel threads, and their presence in writable directories is unusual - and indicative of potential malware, such as CyclopsBlink. If confirmed malicious, - this could allow attackers to blend malicious processes with legitimate ones, leading - to persistent access and further system compromise. +description: The following analytic detects the execution of a kworker process with a command line in writable directories such as /home/, /var/log, and /tmp on a Linux machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process paths. This activity is significant as kworker processes are typically kernel threads, and their presence in writable directories is unusual and indicative of potential malware, such as CyclopsBlink. If confirmed malicious, this could allow attackers to blend malicious processes with legitimate ones, leading to persistent access and further system compromise. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.parent_process = - "*[kworker/*" Processes.parent_process_path IN ("/home/*", "/tmp/*", "/var/log/*") - Processes.process="*iptables*" by Processes.parent_process_name Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - Processes.parent_process_path Processes.process_guid Processes.dest Processes.user - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `linux_kworker_process_in_writable_process_path_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process = "*[kworker/*" Processes.parent_process_path IN ("/home/*", "/tmp/*", "/var/log/*") Processes.process="*iptables*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_path Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kworker_process_in_writable_process_path_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: unknown references: - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf @@ -74,7 +52,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_make_privilege_escalation.yml b/detections/endpoint/linux_make_privilege_escalation.yml index 5ed19ee770..94b18226a5 100644 --- a/detections/endpoint/linux_make_privilege_escalation.yml +++ b/detections/endpoint/linux_make_privilege_escalation.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/make/ - https://www.javatpoint.com/linux-make-command drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_mysql_privilege_escalation.yml b/detections/endpoint/linux_mysql_privilege_escalation.yml index 5527ffeec8..0cc85e74cb 100644 --- a/detections/endpoint/linux_mysql_privilege_escalation.yml +++ b/detections/endpoint/linux_mysql_privilege_escalation.yml @@ -14,12 +14,12 @@ known_false_positives: False positives are present based on automated tooling or references: - https://gtfobins.github.io/gtfobins/mysql/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml index 152840b6d5..430384539f 100644 --- a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml +++ b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml @@ -15,12 +15,12 @@ references: - https://ngrok.com - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_node_privilege_escalation.yml b/detections/endpoint/linux_node_privilege_escalation.yml index b06ec94eed..96a6304aff 100644 --- a/detections/endpoint/linux_node_privilege_escalation.yml +++ b/detections/endpoint/linux_node_privilege_escalation.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/docker/ - https://en.wikipedia.org/wiki/Node.js drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml index 076d6dffc8..95d100074f 100644 --- a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml @@ -15,12 +15,12 @@ references: - https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands - https://help.ubuntu.com/community/Sudoers drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml index c399f59176..3909f1243b 100644 --- a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml +++ b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml @@ -16,12 +16,12 @@ references: - https://redcanary.com/blog/lateral-movement-with-secure-shell/ - https://linux.die.net/man/1/base64 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_octave_privilege_escalation.yml b/detections/endpoint/linux_octave_privilege_escalation.yml index 628bc38cb5..d92df168f8 100644 --- a/detections/endpoint/linux_octave_privilege_escalation.yml +++ b/detections/endpoint/linux_octave_privilege_escalation.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/octave/ - https://en.wikipedia.org/wiki/GNU_Octave drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_openvpn_privilege_escalation.yml b/detections/endpoint/linux_openvpn_privilege_escalation.yml index 21b5f94905..20546d4dab 100644 --- a/detections/endpoint/linux_openvpn_privilege_escalation.yml +++ b/detections/endpoint/linux_openvpn_privilege_escalation.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/openvpn/ - https://en.wikipedia.org/wiki/OpenVPN drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml index 4a4cacb698..50eae30781 100644 --- a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml +++ b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml @@ -13,12 +13,12 @@ known_false_positives: False positives will be present based on many factors. Tu references: - https://attack.mitre.org/tactics/TA0004/ drilldown_searches: -- name: View the detection results for $risk_object$ - search: '%original_detection_search% | search risk_object = $risk_object$' +- name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $risk_object$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($risk_object$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_php_privilege_escalation.yml b/detections/endpoint/linux_php_privilege_escalation.yml index 0724122564..ad00906f2f 100644 --- a/detections/endpoint/linux_php_privilege_escalation.yml +++ b/detections/endpoint/linux_php_privilege_escalation.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/php/ - https://en.wikipedia.org/wiki/PHP drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_pkexec_privilege_escalation.yml b/detections/endpoint/linux_pkexec_privilege_escalation.yml index 4835051c77..c28dc03619 100644 --- a/detections/endpoint/linux_pkexec_privilege_escalation.yml +++ b/detections/endpoint/linux_pkexec_privilege_escalation.yml @@ -17,12 +17,12 @@ references: - https://www.bleepingcomputer.com/news/security/linux-system-service-bug-gives-root-on-all-major-distros-exploit-released/ - https://access.redhat.com/security/security-updates/#/?q=polkit&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml index 02c2e2428a..9eb0ae41d0 100644 --- a/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml @@ -15,12 +15,12 @@ references: - https://www.hackingarticles.in/ssh-penetration-testing-port-22/ - https://attack.mitre.org/techniques/T1098/004/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_possible_access_to_credential_files.yml b/detections/endpoint/linux_possible_access_to_credential_files.yml index c36d2ce4e8..eb3959d368 100644 --- a/detections/endpoint/linux_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_possible_access_to_credential_files.yml @@ -15,12 +15,12 @@ references: - https://askubuntu.com/questions/445361/what-is-difference-between-etc-shadow-and-etc-passwd - https://attack.mitre.org/techniques/T1003/008/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_possible_access_to_sudoers_file.yml index 41d1beadc7..4136db1b8b 100644 --- a/detections/endpoint/linux_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_possible_access_to_sudoers_file.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1548/003/ - https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml index 70177e152d..a1a9856643 100644 --- a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml +++ b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml @@ -15,12 +15,12 @@ references: - https://linuxize.com/post/at-command-in-linux/ - https://attack.mitre.org/techniques/T1053/001/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml b/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml index 541332671b..02cfba25df 100644 --- a/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml +++ b/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml @@ -15,12 +15,12 @@ references: - https://unix.stackexchange.com/questions/129143/what-is-the-purpose-of-bashrc-and-how-does-it-work - https://attack.mitre.org/techniques/T1546/004/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml index b8d407dc63..bd27ec0764 100644 --- a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -5,34 +5,12 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: 'The following analytic detects potential tampering with cronjob files - on a Linux system by identifying ''echo'' commands that append code to existing - cronjob files. It leverages logs from Endpoint Detection and Response (EDR) agents, - focusing on process names, parent processes, and command-line executions. This activity - is significant because adversaries often use it for persistence or privilege escalation. - If confirmed malicious, this could allow attackers to execute unauthorized code - automatically, leading to system compromises and unauthorized data access, thereby - impacting business operations and data integrity.' +description: The following analytic detects potential tampering with cronjob files on a Linux system by identifying 'echo' commands that append code to existing cronjob files. It leverages logs from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because adversaries often use it for persistence or privilege escalation. If confirmed malicious, this could allow attackers to execute unauthorized code automatically, leading to system compromises and unauthorized data access, thereby impacting business operations and data integrity. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes - where Processes.process = "*echo*" AND Processes.process IN("*/etc/cron*", "*/var/spool/cron/*", - "*/etc/anacrontab*") by Processes.dest Processes.user Processes.parent_process_name - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: False positives may arise from legitimate actions by administrators - or network operators who may use these commands for automation purposes. Therefore, - it's recommended to adjust filter macros to eliminate such false positives. +search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process = "*echo*" AND Processes.process IN("*/etc/cron*", "*/var/spool/cron/*", "*/etc/anacrontab*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. Therefore, it's recommended to adjust filter macros to eliminate such false positives. references: - https://attack.mitre.org/techniques/T1053/003/ - https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability @@ -73,7 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml index cc0bbf2cb4..c92f717c39 100644 --- a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml +++ b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml @@ -5,33 +5,12 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: 'The following analytic detects potential unauthorized modifications - to Linux cronjobs using text editors like "nano," "vi," or "vim." It identifies - this activity by monitoring command-line executions that interact with cronjob configuration - paths. This behavior is significant for a SOC as it may indicate attempts at privilege - escalation or establishing persistent access. If confirmed malicious, the impact - could be severe, allowing attackers to execute damaging actions such as data theft, - system sabotage, or further network penetration.' +description: The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like "nano," "vi," or "vim." It identifies this activity by monitoring command-line executions that interact with cronjob configuration paths. This behavior is significant for a SOC as it may indicate attempts at privilege escalation or establishing persistent access. If confirmed malicious, the impact could be severe, allowing attackers to execute damaging actions such as data theft, system sabotage, or further network penetration. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN("nano","vim.basic") - OR Processes.process IN ("*nano *", "*vi *", "*vim *")) AND Processes.process IN("*/etc/cron*", - "*/var/spool/cron/*", "*/etc/anacrontab*") by Processes.dest Processes.user Processes.parent_process_name - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `linux_possible_cronjob_modification_with_editor_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Administrator or network operator can use this commandline - for automation purposes. Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN("nano","vim.basic") OR Processes.process IN ("*nano *", "*vi *", "*vim *")) AND Processes.process IN("*/etc/cron*", "*/var/spool/cron/*", "*/etc/anacrontab*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_cronjob_modification_with_editor_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1053/003/ tags: @@ -70,7 +49,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_possible_ssh_key_file_creation.yml b/detections/endpoint/linux_possible_ssh_key_file_creation.yml index e11a27e445..699db7117d 100644 --- a/detections/endpoint/linux_possible_ssh_key_file_creation.yml +++ b/detections/endpoint/linux_possible_ssh_key_file_creation.yml @@ -15,12 +15,12 @@ references: - https://www.hackingarticles.in/ssh-penetration-testing-port-22/ - https://attack.mitre.org/techniques/T1098/004/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_preload_hijack_library_calls.yml b/detections/endpoint/linux_preload_hijack_library_calls.yml index 219f41f606..f1a87bdcf5 100644 --- a/detections/endpoint/linux_preload_hijack_library_calls.yml +++ b/detections/endpoint/linux_preload_hijack_library_calls.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can execute this comman references: - https://compilepeace.medium.com/memory-malware-part-0x2-writing-userland-rootkits-via-ld-preload-30121c8343d5 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_proxy_socks_curl.yml b/detections/endpoint/linux_proxy_socks_curl.yml index 0ebf21a446..d6bf1cd352 100644 --- a/detections/endpoint/linux_proxy_socks_curl.yml +++ b/detections/endpoint/linux_proxy_socks_curl.yml @@ -19,12 +19,12 @@ references: - https://reqbin.com/req/c-ddxflki5/curl-proxy-server#:~:text=To%20use%20a%20proxy%20with,be%20URL%20decoded%20by%20Curl. - https://gtfobins.github.io/gtfobins/curl/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_puppet_privilege_escalation.yml b/detections/endpoint/linux_puppet_privilege_escalation.yml index c095e2d417..6990a1c32b 100644 --- a/detections/endpoint/linux_puppet_privilege_escalation.yml +++ b/detections/endpoint/linux_puppet_privilege_escalation.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/puppet/ - https://en.wikipedia.org/wiki/Puppet_(software) drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_rpm_privilege_escalation.yml b/detections/endpoint/linux_rpm_privilege_escalation.yml index 307a006848..0a6abe1396 100644 --- a/detections/endpoint/linux_rpm_privilege_escalation.yml +++ b/detections/endpoint/linux_rpm_privilege_escalation.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/rpm/ - https://en.wikipedia.org/wiki/RPM_Package_Manager drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_ruby_privilege_escalation.yml b/detections/endpoint/linux_ruby_privilege_escalation.yml index 7802c11a3f..4532ef9607 100644 --- a/detections/endpoint/linux_ruby_privilege_escalation.yml +++ b/detections/endpoint/linux_ruby_privilege_escalation.yml @@ -14,12 +14,12 @@ known_false_positives: False positives are present based on automated tooling or references: - https://gtfobins.github.io/gtfobins/ruby/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml index 8f176a040a..46e38fcbbc 100644 --- a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml +++ b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml @@ -17,12 +17,12 @@ references: - https://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/ - https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_service_restarted.yml b/detections/endpoint/linux_service_restarted.yml index 163da3a895..90236f3737 100644 --- a/detections/endpoint/linux_service_restarted.yml +++ b/detections/endpoint/linux_service_restarted.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can use this commandlin references: - https://attack.mitre.org/techniques/T1543/003/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_service_started_or_enabled.yml b/detections/endpoint/linux_service_started_or_enabled.yml index 4c98332ef3..a49bd4387a 100644 --- a/detections/endpoint/linux_service_started_or_enabled.yml +++ b/detections/endpoint/linux_service_started_or_enabled.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can use this commandlin references: - https://attack.mitre.org/techniques/T1543/003/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_setuid_using_chmod_utility.yml b/detections/endpoint/linux_setuid_using_chmod_utility.yml index d25c93dd5d..e90b59d135 100644 --- a/detections/endpoint/linux_setuid_using_chmod_utility.yml +++ b/detections/endpoint/linux_setuid_using_chmod_utility.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can execute this comman references: - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_setuid_using_setcap_utility.yml b/detections/endpoint/linux_setuid_using_setcap_utility.yml index 7c958561d0..63a9d339f9 100644 --- a/detections/endpoint/linux_setuid_using_setcap_utility.yml +++ b/detections/endpoint/linux_setuid_using_setcap_utility.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can execute this comman references: - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_shred_overwrite_command.yml b/detections/endpoint/linux_shred_overwrite_command.yml index 145007a21e..043bdd0526 100644 --- a/detections/endpoint/linux_shred_overwrite_command.yml +++ b/detections/endpoint/linux_shred_overwrite_command.yml @@ -15,12 +15,12 @@ references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://cert.gov.ua/article/39518 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_sqlite3_privilege_escalation.yml b/detections/endpoint/linux_sqlite3_privilege_escalation.yml index c41d01c168..48c8281336 100644 --- a/detections/endpoint/linux_sqlite3_privilege_escalation.yml +++ b/detections/endpoint/linux_sqlite3_privilege_escalation.yml @@ -15,12 +15,12 @@ references: - https://gtfobins.github.io/gtfobins/sqlite3/ - https://manpages.ubuntu.com/manpages/trusty/en/man1/sqlite3.1.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_ssh_authorized_keys_modification.yml b/detections/endpoint/linux_ssh_authorized_keys_modification.yml index c47b557140..1852f70c3e 100644 --- a/detections/endpoint/linux_ssh_authorized_keys_modification.yml +++ b/detections/endpoint/linux_ssh_authorized_keys_modification.yml @@ -15,12 +15,12 @@ references: - https://redcanary.com/blog/lateral-movement-with-secure-shell/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_ssh_remote_services_script_execute.yml b/detections/endpoint/linux_ssh_remote_services_script_execute.yml index 609e46a83a..4d6dadc793 100644 --- a/detections/endpoint/linux_ssh_remote_services_script_execute.yml +++ b/detections/endpoint/linux_ssh_remote_services_script_execute.yml @@ -14,12 +14,12 @@ known_false_positives: This is not a common command to be executed. Filter as ne references: - https://redcanary.com/blog/lateral-movement-with-secure-shell/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml b/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml index 570e155701..4ecd70c6ba 100644 --- a/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml +++ b/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml @@ -5,31 +5,11 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: experimental type: Anomaly -description: The following analytic detects command-line activities that redirect - stdout or stderr to the /dev/null file. It leverages data from Endpoint Detection - and Response (EDR) agents, focusing on process execution logs. This behavior is - significant as it can indicate attempts to hide command outputs, a technique observed - in the CyclopsBlink malware to conceal modifications to iptables firewall settings. - If confirmed malicious, this activity could allow an attacker to stealthily alter - system configurations, potentially leading to unauthorized access or persistent - control over the compromised machine. +description: The following analytic detects command-line activities that redirect stdout or stderr to the /dev/null file. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This behavior is significant as it can indicate attempts to hide command outputs, a technique observed in the CyclopsBlink malware to conceal modifications to iptables firewall settings. If confirmed malicious, this activity could allow an attacker to stealthily alter system configurations, potentially leading to unauthorized access or persistent control over the compromised machine. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process = "*&>/dev/null*" - by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - Processes.process_guid Processes.dest Processes.user Processes.parent_process_name - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `linux_stdout_redirection_to_dev_null_file_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*&>/dev/null*" by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stdout_redirection_to_dev_null_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: unknown references: - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf @@ -69,7 +49,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_stop_services.yml b/detections/endpoint/linux_stop_services.yml index 742c41ff92..2fb07d40eb 100644 --- a/detections/endpoint/linux_stop_services.yml +++ b/detections/endpoint/linux_stop_services.yml @@ -15,12 +15,12 @@ references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://cert.gov.ua/article/39518 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_sudo_or_su_execution.yml b/detections/endpoint/linux_sudo_or_su_execution.yml index f418064c61..17326375d8 100644 --- a/detections/endpoint/linux_sudo_or_su_execution.yml +++ b/detections/endpoint/linux_sudo_or_su_execution.yml @@ -5,33 +5,12 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of the "sudo" or "su" command - on a Linux operating system. It leverages data from Endpoint Detection and Response - (EDR) agents, focusing on process names and parent process names. This activity - is significant because "sudo" and "su" commands are commonly used by adversaries - to elevate privileges, potentially leading to unauthorized access or control over - the system. If confirmed malicious, this activity could allow attackers to execute - commands with root privileges, leading to severe security breaches, data exfiltration, - or further system compromise. +description: The following analytic detects the execution of the "sudo" or "su" command on a Linux operating system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent process names. This activity is significant because "sudo" and "su" commands are commonly used by adversaries to elevate privileges, potentially leading to unauthorized access or control over the system. If confirmed malicious, this activity could allow attackers to execute commands with root privileges, leading to severe security breaches, data exfiltration, or further system compromise. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("sudo", - "su") OR Processes.parent_process_name IN ("sudo", "su") by Processes.dest Processes.user - Processes.parent_process_name Processes.process_name Processes.process Processes.process_id - Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sudo_or_su_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Administrator or network operator can execute this command. - Please update the filter macros to remove false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("sudo", "su") OR Processes.parent_process_name IN ("sudo", "su") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sudo_or_su_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1548/003/ tags: @@ -68,7 +47,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudo_su/sysmon_linux.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudo_su/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_sudoers_tmp_file_creation.yml b/detections/endpoint/linux_sudoers_tmp_file_creation.yml index 362fbe08f0..44357a9747 100644 --- a/detections/endpoint/linux_sudoers_tmp_file_creation.yml +++ b/detections/endpoint/linux_sudoers_tmp_file_creation.yml @@ -14,12 +14,12 @@ known_false_positives: administrator or network operator can execute this comman references: - https://forum.ubuntuusers.de/topic/sudo-visudo-gibt-etc-sudoers-tmp/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_system_network_discovery.yml b/detections/endpoint/linux_system_network_discovery.yml index a8b47aa7b6..9f00dcba56 100644 --- a/detections/endpoint/linux_system_network_discovery.yml +++ b/detections/endpoint/linux_system_network_discovery.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can execute this comman references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_system_reboot_via_system_request_key.yml b/detections/endpoint/linux_system_reboot_via_system_request_key.yml index a626abba03..9788d771c7 100644 --- a/detections/endpoint/linux_system_reboot_via_system_request_key.yml +++ b/detections/endpoint/linux_system_reboot_via_system_request_key.yml @@ -16,12 +16,12 @@ references: - https://cert.gov.ua/article/3718487 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml b/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml index 267304d4b5..432f98c3d1 100644 --- a/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml +++ b/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml @@ -16,12 +16,12 @@ references: - https://cert.gov.ua/article/3718487 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/linux_visudo_utility_execution.yml b/detections/endpoint/linux_visudo_utility_execution.yml index 424d6eacf6..20fb83eac5 100644 --- a/detections/endpoint/linux_visudo_utility_execution.yml +++ b/detections/endpoint/linux_visudo_utility_execution.yml @@ -14,12 +14,12 @@ known_false_positives: Administrator or network operator can execute this comman references: - https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/living_off_the_land_detection.yml b/detections/endpoint/living_off_the_land_detection.yml index 00c1aae1f5..35658e70a0 100644 --- a/detections/endpoint/living_off_the_land_detection.yml +++ b/detections/endpoint/living_off_the_land_detection.yml @@ -14,12 +14,12 @@ references: - https://www.splunk.com/en_us/blog/security/living-off-the-land-threat-research-february-2022-release.html - https://research.splunk.com/stories/living_off_the_land/ drilldown_searches: -- name: View the detection results for $risk_object$ - search: '%original_detection_search% | search risk_object = $risk_object$' +- name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $risk_object$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($risk_object$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/loading_of_dynwrapx_module.yml b/detections/endpoint/loading_of_dynwrapx_module.yml index 03db7faf11..358a659122 100644 --- a/detections/endpoint/loading_of_dynwrapx_module.yml +++ b/detections/endpoint/loading_of_dynwrapx_module.yml @@ -19,12 +19,12 @@ references: - https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89 - https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/local_account_discovery_with_net.yml b/detections/endpoint/local_account_discovery_with_net.yml index 91b82e133a..80dfef195c 100644 --- a/detections/endpoint/local_account_discovery_with_net.yml +++ b/detections/endpoint/local_account_discovery_with_net.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `net.exe` or `net1.exe` - with command-line arguments `user` or `users` to query local user accounts. It leverages - data from Endpoint Detection and Response (EDR) agents, focusing on process names - and command-line executions. This activity is significant as it indicates potential - reconnaissance efforts by adversaries to enumerate local users, which is a common - step in situational awareness and Active Directory discovery. If confirmed malicious, - this behavior could lead to further attacks, including privilege escalation and - lateral movement within the network. +description: The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments `user` or `users` to query local user accounts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate local users, which is a common step in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further attacks, including privilege escalation and lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_net` (Processes.process=*user - OR Processes.process=*users) by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `local_account_discovery_with_net_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` (Processes.process=*user OR Processes.process=*users) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_net_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1087/001/ @@ -62,7 +42,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/local_account_discovery_with_wmic.yml b/detections/endpoint/local_account_discovery_with_wmic.yml index 140a98b654..a6e3fd90db 100644 --- a/detections/endpoint/local_account_discovery_with_wmic.yml +++ b/detections/endpoint/local_account_discovery_with_wmic.yml @@ -5,32 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `wmic.exe` with command-line - arguments used to query local user accounts, specifically the `useraccount` argument. - It leverages data from Endpoint Detection and Response (EDR) agents, focusing on - process execution logs that include command-line details. This activity is significant - as it indicates potential reconnaissance efforts by adversaries to enumerate local - users, which is a common step in situational awareness and Active Directory discovery. - If confirmed malicious, this behavior could lead to further targeted attacks, privilege - escalation, or lateral movement within the network. +description: The following analytic detects the execution of `wmic.exe` with command-line arguments used to query local user accounts, specifically the `useraccount` argument. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate local users, which is a common step in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further targeted attacks, privilege escalation, or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=*useraccount*) - by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_wmic_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=*useraccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_wmic_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1087/001/ @@ -60,7 +41,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml b/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml index f5ec626b3a..3153b8f737 100644 --- a/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml +++ b/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml @@ -14,12 +14,12 @@ references: - https://research.splunk.com/stories/log4shell_cve-2021-44228/ - https://www.splunk.com/en_us/blog/security/simulating-detecting-and-responding-to-log4shell-with-splunk.html drilldown_searches: -- name: View the detection results for $risk_object$ - search: '%original_detection_search% | search risk_object = $risk_object$' +- name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $risk_object$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($risk_object$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/logon_script_event_trigger_execution.yml b/detections/endpoint/logon_script_event_trigger_execution.yml index 3cf00134c5..175e61a6b8 100644 --- a/detections/endpoint/logon_script_event_trigger_execution.yml +++ b/detections/endpoint/logon_script_event_trigger_execution.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://attack.mitre.org/techniques/T1037/001/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/lolbas_with_network_traffic.yml b/detections/endpoint/lolbas_with_network_traffic.yml index 1cabbe4569..8490f5c38b 100644 --- a/detections/endpoint/lolbas_with_network_traffic.yml +++ b/detections/endpoint/lolbas_with_network_traffic.yml @@ -15,12 +15,12 @@ references: - https://lolbas-project.github.io/# - https://www.sans.org/presentations/lolbin-detection-methods-seven-common-attacks-revealed/ drilldown_searches: -- name: View the detection results for $src$ - search: '%original_detection_search% | search src = $src$' +- name: View the detection results for - "$src$" + search: '%original_detection_search% | search src = "$src$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/macos___re_opened_applications.yml b/detections/endpoint/macos___re_opened_applications.yml index 34861ca2a8..c4ddf24cba 100644 --- a/detections/endpoint/macos___re_opened_applications.yml +++ b/detections/endpoint/macos___re_opened_applications.yml @@ -5,38 +5,12 @@ date: '2024-10-17' author: Jamie Windley, Splunk status: experimental type: TTP -description: The following analytic identifies processes referencing plist files that - determine which applications are re-opened when a user reboots their MacOS machine. - It leverages data from Endpoint Detection and Response (EDR) agents, focusing on - process names and parent processes related to "com.apple.loginwindow." This activity - is significant because it can indicate attempts to persist across reboots, a common - tactic used by attackers to maintain access. If confirmed malicious, this could - allow an attacker to execute code or maintain persistence on the affected system, - potentially leading to further compromise. +description: The following analytic identifies processes referencing plist files that determine which applications are re-opened when a user reboots their MacOS machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes related to "com.apple.loginwindow." This activity is significant because it can indicate attempts to persist across reboots, a common tactic used by attackers to maintain access. If confirmed malicious, this could allow an attacker to execute code or maintain persistence on the affected system, potentially leading to further compromise. data_source: - Sysmon EventID 1 -search: '| tstats `security_content_summariesonly` count values(Processes.process) - as process values(Processes.parent_process) as parent_process min(_time) as firstTime - max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*com.apple.loginwindow*" - by Processes.user Processes.process_name Processes.parent_process_name Processes.dest - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `macos___re_opened_applications_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: At this stage, there are no known false positives. During testing, - no process events refering the com.apple.loginwindow.plist files were observed during - normal operation of re-opening applications on reboot. Therefore, it can be asumed - that any occurences of this in the process events would be worth investigating. - In the event that the legitimate modification by the system of these files is in - fact logged to the process log, then the process_name of that process can be added - to an allow list. +search: '| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*com.apple.loginwindow*" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `macos___re_opened_applications_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: At this stage, there are no known false positives. During testing, no process events refering the com.apple.loginwindow.plist files were observed during normal operation of re-opening applications on reboot. Therefore, it can be asumed that any occurences of this in the process events would be worth investigating. In the event that the legitimate modification by the system of these files is in fact logged to the process log, then the process_name of that process can be added to an allow list. references: [] tags: analytic_story: diff --git a/detections/endpoint/macos_lolbin.yml b/detections/endpoint/macos_lolbin.yml index 26e67af751..edd386462c 100644 --- a/detections/endpoint/macos_lolbin.yml +++ b/detections/endpoint/macos_lolbin.yml @@ -13,12 +13,12 @@ known_false_positives: None identified. references: - https://osquery.readthedocs.io/en/stable/deployment/process-auditing/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/macos_plutil.yml b/detections/endpoint/macos_plutil.yml index 669bd6ac85..e06373a131 100644 --- a/detections/endpoint/macos_plutil.yml +++ b/detections/endpoint/macos_plutil.yml @@ -14,12 +14,12 @@ known_false_positives: Administrators using plutil to change plist files. references: - https://osquery.readthedocs.io/en/stable/deployment/process-auditing/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/mailsniper_invoke_functions.yml b/detections/endpoint/mailsniper_invoke_functions.yml index c54165388a..6af8853a6a 100644 --- a/detections/endpoint/mailsniper_invoke_functions.yml +++ b/detections/endpoint/mailsniper_invoke_functions.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://www.blackhillsinfosec.com/introducing-mailsniper-a-tool-for-searching-every-users-email-for-sensitive-data/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/malicious_inprocserver32_modification.yml b/detections/endpoint/malicious_inprocserver32_modification.yml index 1de2788d38..e8cd494d7e 100644 --- a/detections/endpoint/malicious_inprocserver32_modification.yml +++ b/detections/endpoint/malicious_inprocserver32_modification.yml @@ -17,12 +17,12 @@ references: - https://tria.ge/210929-ap75vsddan - https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/malicious_powershell_executed_as_a_service.yml b/detections/endpoint/malicious_powershell_executed_as_a_service.yml index 38cf1fa6aa..fcee338d5e 100644 --- a/detections/endpoint/malicious_powershell_executed_as_a_service.yml +++ b/detections/endpoint/malicious_powershell_executed_as_a_service.yml @@ -16,12 +16,12 @@ references: - http://az4n6.blogspot.com/2017/ - https://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/malicious_powershell_process___encoded_command.yml b/detections/endpoint/malicious_powershell_process___encoded_command.yml index 5ceef58435..c62dfcaf1a 100644 --- a/detections/endpoint/malicious_powershell_process___encoded_command.yml +++ b/detections/endpoint/malicious_powershell_process___encoded_command.yml @@ -5,34 +5,13 @@ date: '2024-10-17' author: David Dorsey, Michael Haag, Splunk, SirDuckly, GitHub Community status: production type: Hunting -description: 'The following analytic detects the use of the EncodedCommand parameter - in PowerShell processes. It leverages Endpoint Detection and Response (EDR) data - to identify variations of the EncodedCommand parameter, including shortened forms - and different command switch types. This activity is significant because adversaries - often use encoded commands to obfuscate malicious scripts, making detection harder. - If confirmed malicious, this behavior could allow attackers to execute hidden code, - potentially leading to unauthorized access, privilege escalation, or persistent - threats within the environment. Review parallel events to determine legitimacy and - tune based on known administrative scripts.' +description: The following analytic detects the use of the EncodedCommand parameter in PowerShell processes. It leverages Endpoint Detection and Response (EDR) data to identify variations of the EncodedCommand parameter, including shortened forms and different command switch types. This activity is significant because adversaries often use encoded commands to obfuscate malicious scripts, making detection harder. If confirmed malicious, this behavior could allow attackers to execute hidden code, potentially leading to unauthorized access, privilege escalation, or persistent threats within the environment. Review parallel events to determine legitimacy and tune based on known administrative scripts. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user - Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name - Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|–|—|―][Ee^]{1,2}[NnCcOoDdEeMmAa^]+\\s+[\\\"]?[A-Za-z0-9+/=]{5,}[\\\"]?\") - | `malicious_powershell_process___encoded_command_filter`" -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|\u2013|\u2014|\u2015][Ee^]{1,2}[NnCcOoDdEeMmAa^]+\\s+[\\\"]?[A-Za-z0-9+/=]{5,}[\\\"]?\") | `malicious_powershell_process___encoded_command_filter`" +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: System administrators may use this option, but it's not common. references: - https://regexr.com/662ov @@ -81,7 +60,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index c751760821..b176d1452b 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -16,12 +16,12 @@ known_false_positives: There may be legitimate reasons to bypass the PowerShell references: - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml index 9deed079cd..e5f91292fa 100644 --- a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml +++ b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml @@ -13,12 +13,12 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: These characters might be legitimately on the command-line, but it is not common. references: [] drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml index 25d962e3f3..d37da92210 100644 --- a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml +++ b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml @@ -17,12 +17,12 @@ references: - https://github.com/gentilkiwi/mimikatz - https://attack.mitre.org/techniques/T1550/003/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml index 3b34fd3104..11b164e8ff 100644 --- a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml @@ -18,12 +18,12 @@ references: - https://www.cybereason.com/blog/dcom-lateral-movement-techniques - https://lolbas-project.github.io/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/modification_of_wallpaper.yml b/detections/endpoint/modification_of_wallpaper.yml index 1080d32812..656209104f 100644 --- a/detections/endpoint/modification_of_wallpaper.yml +++ b/detections/endpoint/modification_of_wallpaper.yml @@ -16,12 +16,12 @@ references: - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/ - https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml index a990085494..a45a6ba3fb 100644 --- a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml +++ b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml @@ -16,12 +16,12 @@ known_false_positives: administrators may use this command. Filter as needed. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml index e332b1504a..690aa52a0f 100644 --- a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml +++ b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml @@ -14,12 +14,12 @@ how_to_implement: To successfully implement this search, you need to be ingestin known_false_positives: You will encounter noise from legitimate print-monitor registry entries. references: [] drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml b/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml index 01e52bb63e..f69f8a4952 100644 --- a/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml +++ b/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml @@ -5,34 +5,12 @@ date: '2024-10-17' author: Michael Haag, Splunk status: experimental type: TTP -description: 'The following analytic identifies the creation of suspicious .aspx files - in specific directories associated with Exchange exploitation by the HAFNIUM group - and the ProxyShell vulnerability. It detects this activity by monitoring the MSExchangeMailboxReplication.exe - process, which typically does not write .aspx files. This behavior is significant - as it may indicate an active exploitation attempt on Exchange servers. If confirmed - malicious, attackers could gain unauthorized access, execute arbitrary code, or - maintain persistence within the environment. Immediate investigation and remediation - are crucial to prevent further compromise.' +description: The following analytic identifies the creation of suspicious .aspx files in specific directories associated with Exchange exploitation by the HAFNIUM group and the ProxyShell vulnerability. It detects this activity by monitoring the MSExchangeMailboxReplication.exe process, which typically does not write .aspx files. This behavior is significant as it may indicate an active exploitation attempt on Exchange servers. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or maintain persistence within the environment. Immediate investigation and remediation are crucial to prevent further compromise. data_source: - Sysmon EventID 1 AND Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes - where Processes.process_name=MSExchangeMailboxReplication.exe by _time span=1h - Processes.process_id Processes.process_name Processes.process_guid Processes.dest - | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` - count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem - where Filesystem.file_path IN ("*\\HttpProxy\\owa\\auth\\*", "*\\inetpub\\wwwroot\\aspnet_client\\*", - "*\\HttpProxy\\OAB\\*") Filesystem.file_name="*.aspx" by _time span=1h Filesystem.dest - Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` - | fields _time dest file_create_time file_name file_path process_name process_path - process process_guid] | dedup file_create_time | table dest file_create_time, file_name, - file_path, process_name | `ms_exchange_mailbox_replication_service_writing_active_server_pages_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` - node. -known_false_positives: The query is structured in a way that `action` (read, create) - is not defined. Review the results of this query, filter, and tune as necessary. - It may be necessary to generate this query specific to your endpoint product. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=MSExchangeMailboxReplication.exe by _time span=1h Processes.process_id Processes.process_name Processes.process_guid Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\HttpProxy\\owa\\auth\\*", "*\\inetpub\\wwwroot\\aspnet_client\\*", "*\\HttpProxy\\OAB\\*") Filesystem.file_name="*.aspx" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `ms_exchange_mailbox_replication_service_writing_active_server_pages_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. +known_false_positives: The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. references: - https://redcanary.com/blog/blackbyte-ransomware/ tags: @@ -43,9 +21,7 @@ tags: asset_type: Endpoint confidence: 90 impact: 90 - message: A file - $file_name$ was written to disk that is related to IIS exploitation - related to ProxyShell. Review further file modifications on endpoint $dest$ by - user $user$. + message: A file - $file_name$ was written to disk that is related to IIS exploitation related to ProxyShell. Review further file modifications on endpoint $dest$ by user $user$. mitre_attack_id: - T1505 - T1505.003 diff --git a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml index f33eb962bc..988ef2b1a8 100644 --- a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml @@ -15,12 +15,12 @@ references: - https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation - https://attack.mitre.org/groups/G0046/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml index 45366d6b0c..7bfc8d9d7e 100644 --- a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml @@ -15,12 +15,12 @@ references: - https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation - https://attack.mitre.org/groups/G0046/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml index f0d76846e7..d3b9ae8123 100644 --- a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml +++ b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml @@ -16,12 +16,12 @@ known_false_positives: False positives should be limited as developers do not sp references: - https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml index 1dfa9cf724..aa365f9a6c 100644 --- a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml +++ b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml @@ -16,12 +16,12 @@ known_false_positives: limitted. this anomaly behavior is not commonly seen in c references: - https://twitter.com/cyb3rops/status/1416050325870587910?s=21 drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/mshtml_module_load_in_office_product.yml b/detections/endpoint/mshtml_module_load_in_office_product.yml index c2f220243d..cbd77b91a6 100644 --- a/detections/endpoint/mshtml_module_load_in_office_product.yml +++ b/detections/endpoint/mshtml_module_load_in_office_product.yml @@ -17,12 +17,12 @@ references: - https://strontic.github.io/xcyclopedia/index-dll - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/msi_module_loaded_by_non_system_binary.yml b/detections/endpoint/msi_module_loaded_by_non_system_binary.yml index 21c293ac96..52feeee8f6 100644 --- a/detections/endpoint/msi_module_loaded_by_non_system_binary.yml +++ b/detections/endpoint/msi_module_loaded_by_non_system_binary.yml @@ -5,24 +5,12 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: 'The following analytic detects the loading of `msi.dll` by a binary - not located in `system32`, `syswow64`, `winsxs`, or `windows` directories. This - is identified using Sysmon EventCode 7, which logs DLL loads, and filters out legitimate - system paths. This activity is significant as it may indicate exploitation of CVE-2021-41379 - or DLL side-loading attacks, both of which can lead to unauthorized system modifications. - If confirmed malicious, this could allow an attacker to execute arbitrary code, - escalate privileges, or persist within the environment.' +description: The following analytic detects the loading of `msi.dll` by a binary not located in `system32`, `syswow64`, `winsxs`, or `windows` directories. This is identified using Sysmon EventCode 7, which logs DLL loads, and filters out legitimate system paths. This activity is significant as it may indicate exploitation of CVE-2021-41379 or DLL side-loading attacks, both of which can lead to unauthorized system modifications. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or persist within the environment. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 ImageLoaded="*\\msi.dll" NOT (Image IN ("*\\System32\\*","*\\syswow64\\*","*\\windows\\*", - "*\\winsxs\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by - Image ImageLoaded process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `msi_module_loaded_by_non_system_binary_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name and imageloaded executions from your endpoints. If you - are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: It is possible some Administrative utilities will load msi.dll - outside of normal system paths, filter as needed. +search: '`sysmon` EventCode=7 ImageLoaded="*\\msi.dll" NOT (Image IN ("*\\System32\\*","*\\syswow64\\*","*\\windows\\*", "*\\winsxs\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msi_module_loaded_by_non_system_binary_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: It is possible some Administrative utilities will load msi.dll outside of normal system paths, filter as needed. references: - https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379/rapid7-analysis - https://github.com/AlexandrVIvanov/InstallerFileTakeOver @@ -37,8 +25,7 @@ tags: cve: - CVE-2021-41379 impact: 80 - message: The following module $ImageLoaded$ was loaded by $Image$ outside of the - normal system paths on endpoint $dest$, potentally related to DLL side-loading. + message: The following module $ImageLoaded$ was loaded by $Image$ outside of the normal system paths on endpoint $dest$, potentally related to DLL side-loading. mitre_attack_id: - T1574.002 - T1574 @@ -68,7 +55,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/msi_module_load/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/msi_module_load/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/msmpeng_application_dll_side_loading.yml b/detections/endpoint/msmpeng_application_dll_side_loading.yml index 977001cffe..c1b1c4763c 100644 --- a/detections/endpoint/msmpeng_application_dll_side_loading.yml +++ b/detections/endpoint/msmpeng_application_dll_side_loading.yml @@ -16,12 +16,12 @@ known_false_positives: quite minimal false positive expected. references: - https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/net_localgroup_discovery.yml b/detections/endpoint/net_localgroup_discovery.yml index 10e7e4f6bb..495f910b19 100644 --- a/detections/endpoint/net_localgroup_discovery.yml +++ b/detections/endpoint/net_localgroup_discovery.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `net localgroup` - command, which is used to enumerate local group memberships on a system. It leverages - data from Endpoint Detection and Response (EDR) agents, focusing on process execution - logs that include command-line details. This activity is significant because it - can indicate an attacker is gathering information about local group memberships, - potentially to identify privileged accounts. If confirmed malicious, this behavior - could lead to further privilege escalation or lateral movement within the network. +description: The following analytic detects the execution of the `net localgroup` command, which is used to enumerate local group memberships on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it can indicate an attacker is gathering information about local group memberships, potentially to identify privileged accounts. If confirmed malicious, this behavior could lead to further privilege escalation or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name=net.exe - OR Processes.process_name=net1.exe (Processes.process="*localgroup*") by Processes.dest - Processes.user Processes.parent_process_name Processes.process_name Processes.process - Processes.original_file_name Processes.process_id Processes.parent_process_id | - `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `net_localgroup_discovery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=net.exe OR Processes.process_name=net1.exe (Processes.process="*localgroup*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `net_localgroup_discovery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: False positives may be present. Tune as needed. references: - https://attack.mitre.org/techniques/T1069/001/ @@ -87,7 +67,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/net_profiler_uac_bypass.yml b/detections/endpoint/net_profiler_uac_bypass.yml index d28b51347f..36dbf34cd1 100644 --- a/detections/endpoint/net_profiler_uac_bypass.yml +++ b/detections/endpoint/net_profiler_uac_bypass.yml @@ -15,12 +15,12 @@ known_false_positives: limited false positive. It may trigger by some windows up references: - https://offsec.almond.consulting/UAC-bypass-dotnet.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/network_connection_discovery_with_arp.yml b/detections/endpoint/network_connection_discovery_with_arp.yml index fb0d2d4626..3a698a0968 100644 --- a/detections/endpoint/network_connection_discovery_with_arp.yml +++ b/detections/endpoint/network_connection_discovery_with_arp.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `arp.exe` with the `-a` - flag, which is used to list network connections on a compromised system. This detection - leverages data from Endpoint Detection and Response (EDR) agents, focusing on process - names, command-line executions, and related telemetry. Monitoring this activity - is significant because both Red Teams and adversaries use `arp.exe` for situational - awareness and Active Directory discovery. If confirmed malicious, this activity - could allow attackers to map the network, identify active devices, and plan further - lateral movement or attacks. +description: The following analytic detects the execution of `arp.exe` with the `-a` flag, which is used to list network connections on a compromised system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and related telemetry. Monitoring this activity is significant because both Red Teams and adversaries use `arp.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify active devices, and plan further lateral movement or attacks. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="arp.exe") - (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `network_connection_discovery_with_arp_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="arp.exe") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_arp_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1049/ @@ -77,7 +57,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/network_connection_discovery_with_net.yml b/detections/endpoint/network_connection_discovery_with_net.yml index af8bc41739..f4637e4b4c 100644 --- a/detections/endpoint/network_connection_discovery_with_net.yml +++ b/detections/endpoint/network_connection_discovery_with_net.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies the execution of `net.exe` or `net1.exe` - with command-line arguments used to list network connections on a compromised system. - It leverages data from Endpoint Detection and Response (EDR) agents, focusing on - process names and command-line executions. This activity is significant as it indicates - potential network reconnaissance by adversaries or Red Teams, aiming to gather situational - awareness and Active Directory information. If confirmed malicious, this behavior - could allow attackers to map the network, identify critical assets, and plan further - attacks, potentially leading to data exfiltration or lateral movement. +description: The following analytic identifies the execution of `net.exe` or `net1.exe` with command-line arguments used to list network connections on a compromised system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential network reconnaissance by adversaries or Red Teams, aiming to gather situational awareness and Active Directory information. If confirmed malicious, this behavior could allow attackers to map the network, identify critical assets, and plan further attacks, potentially leading to data exfiltration or lateral movement. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" - OR Processes.process_name="net1.exe") (Processes.process=*use*) by Processes.dest - Processes.user Processes.parent_process Processes.process_name Processes.process - Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_net_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" OR Processes.process_name="net1.exe") (Processes.process=*use*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_net_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1049/ @@ -73,7 +53,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/network_connection_discovery_with_netstat.yml b/detections/endpoint/network_connection_discovery_with_netstat.yml index e0b391c504..6fb53975b9 100644 --- a/detections/endpoint/network_connection_discovery_with_netstat.yml +++ b/detections/endpoint/network_connection_discovery_with_netstat.yml @@ -5,32 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `netstat.exe` with command-line - arguments to list network connections on a system. It leverages data from Endpoint - Detection and Response (EDR) agents, focusing on process names, command-line executions, - and parent processes. This activity is significant as both Red Teams and adversaries - use `netstat.exe` for situational awareness and Active Directory discovery. If confirmed - malicious, this behavior could allow attackers to map network connections, identify - critical systems, and plan further lateral movement or data exfiltration. +description: The following analytic detects the execution of `netstat.exe` with command-line arguments to list network connections on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and parent processes. This activity is significant as both Red Teams and adversaries use `netstat.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map network connections, identify critical systems, and plan further lateral movement or data exfiltration. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="netstat.exe") - (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `network_connection_discovery_with_netstat_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="netstat.exe") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_netstat_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1049/ @@ -77,7 +58,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/network_discovery_using_route_windows_app.yml b/detections/endpoint/network_discovery_using_route_windows_app.yml index 57569bff1b..e74a3d4e74 100644 --- a/detections/endpoint/network_discovery_using_route_windows_app.yml +++ b/detections/endpoint/network_discovery_using_route_windows_app.yml @@ -5,35 +5,14 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of the `route.exe` Windows - application, commonly used for network discovery. It leverages data from Endpoint - Detection and Response (EDR) agents, focusing on process creation events. This activity - is significant because adversaries often use `route.exe` to map network routes and - identify potential targets within a network. If confirmed malicious, this behavior - could allow attackers to gain insights into network topology, facilitating lateral - movement and further exploitation. Note that false positives may occur due to legitimate - administrative tasks or automated scripts. +description: The following analytic detects the execution of the `route.exe` Windows application, commonly used for network discovery. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because adversaries often use `route.exe` to map network routes and identify potential targets within a network. If confirmed malicious, this behavior could allow attackers to gain insights into network topology, facilitating lateral movement and further exploitation. Note that false positives may occur due to legitimate administrative tasks or automated scripts. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_route` by Processes.dest - Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_discovery_using_route_windows_app_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: A network operator or systems administrator may utilize an - automated host discovery application that may generate false positives or an amazon - ec2 script that uses this application. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_route` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_discovery_using_route_windows_app_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: A network operator or systems administrator may utilize an automated host discovery application that may generate false positives or an amazon ec2 script that uses this application. Filter as needed. references: - https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/ tags: @@ -74,7 +53,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/network_share_discovery_via_dir_command.yml b/detections/endpoint/network_share_discovery_via_dir_command.yml index fdde211a86..36665cccf4 100644 --- a/detections/endpoint/network_share_discovery_via_dir_command.yml +++ b/detections/endpoint/network_share_discovery_via_dir_command.yml @@ -7,25 +7,10 @@ status: production type: Hunting data_source: - Windows Event Log Security 5140 -description: The following analytic detects access to Windows administrative SMB shares - (Admin$, IPC$, C$) using the 'dir' command. It leverages Windows Security Event - Logs with EventCode 5140 to identify this activity. This behavior is significant - as it is commonly used by tools like PsExec/PaExec for staging binaries before creating - and starting services on remote endpoints, a technique often employed by adversaries - for lateral movement and remote code execution. If confirmed malicious, this activity - could allow attackers to propagate malware, such as IcedID, across the network, - leading to widespread infection and potential data breaches. -search: '`wineventlog_security` EventCode=5140 ShareName IN("\\\\*\\ADMIN$","\\\\*\\C$","*\\\\*\\IPC$") - AccessMask= 0x1 | stats min(_time) as firstTime max(_time) as lastTime count by - ShareName IpAddress ObjectType SubjectUserName SubjectDomainName IpPort AccessMask - Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `network_share_discovery_via_dir_command_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - Windows Security Event Logs with 5140 EventCode enabled. The Windows TA is also - required. Also enable the object Audit access success/failure in your group policy. -known_false_positives: System Administrators may use looks like net.exe or "dir commandline" - for troubleshooting or administrations tasks. However, this will typically come - only from certain users and certain systems that can be added to an allow list. +description: The following analytic detects access to Windows administrative SMB shares (Admin$, IPC$, C$) using the 'dir' command. It leverages Windows Security Event Logs with EventCode 5140 to identify this activity. This behavior is significant as it is commonly used by tools like PsExec/PaExec for staging binaries before creating and starting services on remote endpoints, a technique often employed by adversaries for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to propagate malware, such as IcedID, across the network, leading to widespread infection and potential data breaches. +search: '`wineventlog_security` EventCode=5140 ShareName IN("\\\\*\\ADMIN$","\\\\*\\C$","*\\\\*\\IPC$") AccessMask= 0x1 | stats min(_time) as firstTime max(_time) as lastTime count by ShareName IpAddress ObjectType SubjectUserName SubjectDomainName IpPort AccessMask Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_share_discovery_via_dir_command_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5140 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. +known_false_positives: System Administrators may use looks like net.exe or "dir commandline" for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list. references: - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ tags: @@ -36,8 +21,7 @@ tags: - 13daa2cf-195a-43df-a8bd-7dd5ffb607b5 confidence: 50 impact: 50 - message: $user$ list executable files or directory in known sensitive SMB share. Share - name=$ShareName$, Access mask=$AccessMask$ + message: $user$ list executable files or directory in known sensitive SMB share. Share name=$ShareName$, Access mask=$AccessMask$ mitre_attack_id: - T1135 observable: @@ -64,7 +48,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share_discovery_via_dir/smb_access_security_xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share_discovery_via_dir/smb_access_security_xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml b/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml index 5246060134..ecfce144ff 100644 --- a/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml +++ b/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml @@ -7,28 +7,10 @@ status: production type: Hunting data_source: - Sysmon EventID 3 -description: The following analytic identifies network traffic directed to the Active - Directory Web Services Protocol (ADWS) on port 9389. It leverages network traffic - logs, focusing on source and destination IP addresses, application names, and destination - ports. This activity is significant as ADWS is used to manage Active Directory, - and unauthorized access could indicate malicious intent. If confirmed malicious, - an attacker could manipulate Active Directory, potentially leading to privilege - escalation, unauthorized access, or persistent control over the environment. -search: '| tstats count from datamodel=Network_Traffic where All_Traffic.dest_port=9389 - by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.user, All_Traffic.dest_port - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` - | `network_traffic_to_active_directory_web_services_protocol_filter`' -how_to_implement: The detection is based on data that originates from network traffic - logs. The logs must contain the source and destination IP addresses, the application - name, and the destination port. The logs must be processed using the appropriate - Splunk Technology Add-ons that are specific to the network traffic data source. - The logs must also be mapped to the `Network_Traffic` data model. Use the Splunk - Common Information Model (CIM) to normalize the field names and speed up the data - modeling process. -known_false_positives: False positives should be limited as the destination port is - specific to Active Directory Web Services Protocol, however we recommend utilizing - this analytic to hunt for non-standard processes querying the ADWS port. Filter - by App or dest_ip to AD servers and remove known proceses querying ADWS. +description: The following analytic identifies network traffic directed to the Active Directory Web Services Protocol (ADWS) on port 9389. It leverages network traffic logs, focusing on source and destination IP addresses, application names, and destination ports. This activity is significant as ADWS is used to manage Active Directory, and unauthorized access could indicate malicious intent. If confirmed malicious, an attacker could manipulate Active Directory, potentially leading to privilege escalation, unauthorized access, or persistent control over the environment. +search: '| tstats count from datamodel=Network_Traffic where All_Traffic.dest_port=9389 by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.user, All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `network_traffic_to_active_directory_web_services_protocol_filter`' +how_to_implement: The detection is based on data that originates from network traffic logs. The logs must contain the source and destination IP addresses, the application name, and the destination port. The logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network traffic data source. The logs must also be mapped to the `Network_Traffic` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives should be limited as the destination port is specific to Active Directory Web Services Protocol, however we recommend utilizing this analytic to hunt for non-standard processes querying the ADWS port. Filter by App or dest_ip to AD servers and remove known proceses querying ADWS. references: - https://github.com/FalconForceTeam/SOAPHound tags: @@ -38,8 +20,7 @@ tags: atomic_guid: [] confidence: 50 impact: 20 - message: Network traffic to Active Directory Web Services Protocol was identified - on $dest_ip$ by $src_ip$. + message: Network traffic to Active Directory Web Services Protocol was identified on $dest_ip$ by $src_ip$. mitre_attack_id: - T1087.002 - T1069.001 @@ -72,7 +53,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/soaphound/sysmon_soaphound.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/soaphound/sysmon_soaphound.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/nishang_powershelltcponeline.yml b/detections/endpoint/nishang_powershelltcponeline.yml index 04b9f68387..ea3ccfb711 100644 --- a/detections/endpoint/nishang_powershelltcponeline.yml +++ b/detections/endpoint/nishang_powershelltcponeline.yml @@ -19,12 +19,12 @@ references: - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ - https://www.rapid7.com/blog/post/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/nltest_domain_trust_discovery.yml b/detections/endpoint/nltest_domain_trust_discovery.yml index 56469d4052..523af7443f 100644 --- a/detections/endpoint/nltest_domain_trust_discovery.yml +++ b/detections/endpoint/nltest_domain_trust_discovery.yml @@ -22,12 +22,12 @@ references: - https://redcanary.com/threat-detection-report/techniques/domain-trust-discovery/ - https://thedfirreport.com/2020/10/08/ryuks-return/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml index 4c1ea52bff..637f868354 100644 --- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml +++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml @@ -13,12 +13,12 @@ how_to_implement: To successfully implement this search, you must ingest Windows known_false_positives: other browser not listed related to chrome may catch by this rule. references: [] drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml index a81592f850..2a16ca2ff8 100644 --- a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml +++ b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml @@ -13,12 +13,12 @@ how_to_implement: To successfully implement this search, you must ingest Windows known_false_positives: other browser not listed related to firefox may catch by this rule. references: [] drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/notepad_with_no_command_line_arguments.yml b/detections/endpoint/notepad_with_no_command_line_arguments.yml index ee9d591bca..d63ce534dc 100644 --- a/detections/endpoint/notepad_with_no_command_line_arguments.yml +++ b/detections/endpoint/notepad_with_no_command_line_arguments.yml @@ -17,12 +17,12 @@ references: - https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ - https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors#Purple-Team-Section drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/ntdsutil_export_ntds.yml b/detections/endpoint/ntdsutil_export_ntds.yml index cc0b524835..fc65c5c99d 100644 --- a/detections/endpoint/ntdsutil_export_ntds.yml +++ b/detections/endpoint/ntdsutil_export_ntds.yml @@ -20,12 +20,12 @@ references: - https://strontic.github.io/xcyclopedia/library/vss_ps.dll-97B15BDAE9777F454C9A6BA25E938DB3.html - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/office_application_drop_executable.yml b/detections/endpoint/office_application_drop_executable.yml index 5c945312f5..2ec756dcdb 100644 --- a/detections/endpoint/office_application_drop_executable.yml +++ b/detections/endpoint/office_application_drop_executable.yml @@ -17,12 +17,12 @@ references: - https://www.joesandbox.com/analysis/702680/0/html - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/office_application_spawn_regsvr32_process.yml b/detections/endpoint/office_application_spawn_regsvr32_process.yml index 0a88784a19..2999d0101d 100644 --- a/detections/endpoint/office_application_spawn_regsvr32_process.yml +++ b/detections/endpoint/office_application_spawn_regsvr32_process.yml @@ -17,12 +17,12 @@ references: - https://www.joesandbox.com/analysis/380662/0/html - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/office_application_spawn_rundll32_process.yml b/detections/endpoint/office_application_spawn_rundll32_process.yml index d3845f6828..882738f42d 100644 --- a/detections/endpoint/office_application_spawn_rundll32_process.yml +++ b/detections/endpoint/office_application_spawn_rundll32_process.yml @@ -19,12 +19,12 @@ references: - https://www.joesandbox.com/analysis/702680/0/html - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/office_document_creating_schedule_task.yml b/detections/endpoint/office_document_creating_schedule_task.yml index 2359a522da..192be8219e 100644 --- a/detections/endpoint/office_document_creating_schedule_task.yml +++ b/detections/endpoint/office_document_creating_schedule_task.yml @@ -16,12 +16,12 @@ references: - https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/ - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/office_document_executing_macro_code.yml b/detections/endpoint/office_document_executing_macro_code.yml index 732ced644d..aa1813ff52 100644 --- a/detections/endpoint/office_document_executing_macro_code.yml +++ b/detections/endpoint/office_document_executing_macro_code.yml @@ -19,12 +19,12 @@ references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ - https://www.fortinet.com/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/office_document_spawned_child_process_to_download.yml b/detections/endpoint/office_document_spawned_child_process_to_download.yml index a9dc968563..3c236c26af 100644 --- a/detections/endpoint/office_document_spawned_child_process_to_download.yml +++ b/detections/endpoint/office_document_spawned_child_process_to_download.yml @@ -17,12 +17,12 @@ references: - https://app.any.run/tasks/92d7ef61-bfd7-4c92-bc15-322172b4ebec/ - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/office_product_spawn_cmd_process.yml b/detections/endpoint/office_product_spawn_cmd_process.yml index 0af0a70569..ab6a93a70a 100644 --- a/detections/endpoint/office_product_spawn_cmd_process.yml +++ b/detections/endpoint/office_product_spawn_cmd_process.yml @@ -19,12 +19,12 @@ references: - https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/office_product_spawning_bitsadmin.yml b/detections/endpoint/office_product_spawning_bitsadmin.yml index 905d2fd846..28321613dd 100644 --- a/detections/endpoint/office_product_spawning_bitsadmin.yml +++ b/detections/endpoint/office_product_spawning_bitsadmin.yml @@ -17,12 +17,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/office_product_spawning_certutil.yml b/detections/endpoint/office_product_spawning_certutil.yml index fa86748eb1..4e0ef4b5e5 100644 --- a/detections/endpoint/office_product_spawning_certutil.yml +++ b/detections/endpoint/office_product_spawning_certutil.yml @@ -18,12 +18,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/office_product_spawning_mshta.yml b/detections/endpoint/office_product_spawning_mshta.yml index 57337db841..1957a45e42 100644 --- a/detections/endpoint/office_product_spawning_mshta.yml +++ b/detections/endpoint/office_product_spawning_mshta.yml @@ -16,12 +16,12 @@ known_false_positives: No false positives known. Filter as needed. references: - https://redcanary.com/threat-detection-report/threats/TA551/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml b/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml index 52e29dc03a..364f77cf22 100644 --- a/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml +++ b/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml @@ -18,12 +18,12 @@ references: - https://app.any.run/tasks/cef4b8ba-023c-4b3b-b2ef-6486a44f6ed9/ - https://any.run/malware-trends/icedid drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/office_product_spawning_windows_script_host.yml b/detections/endpoint/office_product_spawning_windows_script_host.yml index d00129fd38..5d86a8d0a1 100644 --- a/detections/endpoint/office_product_spawning_windows_script_host.yml +++ b/detections/endpoint/office_product_spawning_windows_script_host.yml @@ -18,12 +18,12 @@ references: - https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/office_product_spawning_wmic.yml b/detections/endpoint/office_product_spawning_wmic.yml index 2cb7cb89b6..d92d17ab18 100644 --- a/detections/endpoint/office_product_spawning_wmic.yml +++ b/detections/endpoint/office_product_spawning_wmic.yml @@ -19,12 +19,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/office_product_writing_cab_or_inf.yml b/detections/endpoint/office_product_writing_cab_or_inf.yml index ec937598f5..8b0c361d95 100644 --- a/detections/endpoint/office_product_writing_cab_or_inf.yml +++ b/detections/endpoint/office_product_writing_cab_or_inf.yml @@ -21,12 +21,12 @@ references: - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/office_spawning_control.yml b/detections/endpoint/office_spawning_control.yml index fd060cc423..dd5cd336d4 100644 --- a/detections/endpoint/office_spawning_control.yml +++ b/detections/endpoint/office_spawning_control.yml @@ -22,12 +22,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml index d71340efec..e30c443d3a 100644 --- a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml +++ b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml @@ -15,12 +15,12 @@ references: - https://www.lunasec.io/docs/blog/log4j-zero-day/ - https://www.govcert.admin.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/overwriting_accessibility_binaries.yml b/detections/endpoint/overwriting_accessibility_binaries.yml index 8502777d28..aa57c7e002 100644 --- a/detections/endpoint/overwriting_accessibility_binaries.yml +++ b/detections/endpoint/overwriting_accessibility_binaries.yml @@ -13,12 +13,12 @@ how_to_implement: You must be ingesting data that records the filesystem activit known_false_positives: Microsoft may provide updates to these binaries. Verify that these changes do not correspond with your normal software update cycle. references: [] drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml b/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml index 0525dfe927..00a84a51cf 100644 --- a/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml +++ b/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml @@ -6,25 +6,10 @@ author: Michael Haag, Splunk status: experimental type: Hunting data_source: [] -description: The following analytic identifies potential exploitation attempts on - a PaperCut NG server by analyzing its debug log data. It detects unauthorized or - suspicious access attempts from public IP addresses and searches for specific URIs - associated with known exploits. The detection leverages regex to parse unstructured - log data, focusing on admin login activities. This activity is significant as it - can indicate an active exploitation attempt on the server. If confirmed malicious, - attackers could gain unauthorized access, potentially leading to data breaches or - further compromise of the server. -search: '`papercutng` (loginType=Admin OR userName=admin) | eval uri_match=if(match(_raw, - "(?i)(\/app\?service=page\/SetupCompleted|\/app|\/app\?service=page\/PrinterList|\/app\?service=direct\/1\/PrinterList\/selectPrinter&sp=l1001|\/app\?service=direct\/1\/PrinterDetails\/printerOptionsTab\.tab)"), - "URI matches", null()) | eval ip_match=if(match(_raw, "(?i)((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))") - AND NOT match(_raw, "(?i)(10\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(172\.(1[6-9]|2[0-9]|3[0-1])\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(192\.168\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))"), - "IP matches", null()) | where (isnotnull(uri_match) OR isnotnull(ip_match)) | stats - sparkline, count, values(uri_match) AS uri_match, values(ip_match) AS ip_match latest(_raw) - BY host, index, sourcetype | `papercut_ng_suspicious_behavior_debug_log_filter`' -how_to_implement: Debug logs must be enabled and shipped to Splunk in order to properly - identify behavior with this analytic. -known_false_positives: False positives may be present, as this is based on the admin - user accessing the Papercut NG instance from a public IP address. Filter as needed. +description: The following analytic identifies potential exploitation attempts on a PaperCut NG server by analyzing its debug log data. It detects unauthorized or suspicious access attempts from public IP addresses and searches for specific URIs associated with known exploits. The detection leverages regex to parse unstructured log data, focusing on admin login activities. This activity is significant as it can indicate an active exploitation attempt on the server. If confirmed malicious, attackers could gain unauthorized access, potentially leading to data breaches or further compromise of the server. +search: '`papercutng` (loginType=Admin OR userName=admin) | eval uri_match=if(match(_raw, "(?i)(\/app\?service=page\/SetupCompleted|\/app|\/app\?service=page\/PrinterList|\/app\?service=direct\/1\/PrinterList\/selectPrinter&sp=l1001|\/app\?service=direct\/1\/PrinterDetails\/printerOptionsTab\.tab)"), "URI matches", null()) | eval ip_match=if(match(_raw, "(?i)((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))") AND NOT match(_raw, "(?i)(10\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(172\.(1[6-9]|2[0-9]|3[0-1])\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(192\.168\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))"), "IP matches", null()) | where (isnotnull(uri_match) OR isnotnull(ip_match)) | stats sparkline, count, values(uri_match) AS uri_match, values(ip_match) AS ip_match latest(_raw) BY host, index, sourcetype | `papercut_ng_suspicious_behavior_debug_log_filter`' +how_to_implement: Debug logs must be enabled and shipped to Splunk in order to properly identify behavior with this analytic. +known_false_positives: False positives may be present, as this is based on the admin user accessing the Papercut NG instance from a public IP address. Filter as needed. references: - https://www.papercut.com/kb/Main/HowToCollectApplicationServerDebugLogs - https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/HAFNIUM.md @@ -40,8 +25,7 @@ tags: atomic_guid: [] confidence: 80 impact: 80 - message: Behavior related to exploitation of PaperCut NG has been identified on - $host$. + message: Behavior related to exploitation of PaperCut NG has been identified on $host$. mitre_attack_id: - T1190 - T1133 @@ -65,7 +49,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/server.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/server.log source: papercutng sourcetype: papercutng diff --git a/detections/endpoint/password_policy_discovery_with_net.yml b/detections/endpoint/password_policy_discovery_with_net.yml index f1d86c7d28..ee7db9cc02 100644 --- a/detections/endpoint/password_policy_discovery_with_net.yml +++ b/detections/endpoint/password_policy_discovery_with_net.yml @@ -5,35 +5,13 @@ date: '2024-10-17' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies the execution of `net.exe` or `net1.exe` - with command line arguments aimed at obtaining the domain password policy. It leverages - data from Endpoint Detection and Response (EDR) agents, focusing on process names - and command-line executions. This activity is significant as it indicates potential - reconnaissance efforts by adversaries to gather information about Active Directory - password policies. If confirmed malicious, this behavior could allow attackers to - understand password complexity requirements, aiding in brute-force or password-guessing - attacks, ultimately compromising user accounts and gaining unauthorized access to - the network. +description: The following analytic identifies the execution of `net.exe` or `net1.exe` with command line arguments aimed at obtaining the domain password policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gather information about Active Directory password policies. If confirmed malicious, this behavior could allow attackers to understand password complexity requirements, aiding in brute-force or password-guessing attacks, ultimately compromising user accounts and gaining unauthorized access to the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" - OR Processes.process_name="net1.exe") AND Processes.process = "*accounts*" AND Processes.process - = "*/domain*" by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `password_policy_discovery_with_net_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" OR Processes.process_name="net1.exe") AND Processes.process = "*accounts*" AND Processes.process = "*/domain*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `password_policy_discovery_with_net_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet @@ -78,7 +56,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/permission_modification_using_takeown_app.yml b/detections/endpoint/permission_modification_using_takeown_app.yml index 6d1d739c14..d1d6f3b3a3 100644 --- a/detections/endpoint/permission_modification_using_takeown_app.yml +++ b/detections/endpoint/permission_modification_using_takeown_app.yml @@ -16,12 +16,12 @@ known_false_positives: takeown.exe is a normal windows application that may used references: - https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/petitpotam_network_share_access_request.yml b/detections/endpoint/petitpotam_network_share_access_request.yml index ce4ee240f4..3524d98894 100644 --- a/detections/endpoint/petitpotam_network_share_access_request.yml +++ b/detections/endpoint/petitpotam_network_share_access_request.yml @@ -16,12 +16,12 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5145 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml b/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml index 1223ef55c4..dbdc5d10a2 100644 --- a/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml +++ b/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml @@ -15,12 +15,12 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768 - https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/ping_sleep_batch_command.yml b/detections/endpoint/ping_sleep_batch_command.yml index 8d1dd177b7..2196b95beb 100644 --- a/detections/endpoint/ping_sleep_batch_command.yml +++ b/detections/endpoint/ping_sleep_batch_command.yml @@ -16,12 +16,12 @@ known_false_positives: Administrator or network operator may execute this comman references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/possible_browser_pass_view_parameter.yml b/detections/endpoint/possible_browser_pass_view_parameter.yml index 291960bb65..6a5a7d02eb 100644 --- a/detections/endpoint/possible_browser_pass_view_parameter.yml +++ b/detections/endpoint/possible_browser_pass_view_parameter.yml @@ -5,37 +5,13 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies processes with command-line parameters - associated with web browser credential dumping tools, specifically targeting behaviors - used by Remcos RAT malware. It leverages data from Endpoint Detection and Response - (EDR) agents, focusing on command-line executions and specific file paths. This - activity is significant as it indicates potential credential theft, a common tactic - in broader cyber-espionage campaigns. If confirmed malicious, attackers could gain - unauthorized access to sensitive web credentials, leading to further system compromise - and data breaches. +description: The following analytic identifies processes with command-line parameters associated with web browser credential dumping tools, specifically targeting behaviors used by Remcos RAT malware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and specific file paths. This activity is significant as it indicates potential credential theft, a common tactic in broader cyber-espionage campaigns. If confirmed malicious, attackers could gain unauthorized access to sensitive web credentials, leading to further system compromise and data breaches. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*/stext - *", "*/shtml *", "*/LoadPasswordsIE*", "*/LoadPasswordsFirefox*", "*/LoadPasswordsChrome*", - "*/LoadPasswordsOpera*", "*/LoadPasswordsSafari*" , "*/UseOperaPasswordFile*", "*/OperaPasswordFile*","*/stab*", - "*/scomma*", "*/stabular*", "*/shtml*", "*/sverhtml*", "*/sxml*", "*/skeepass*" - ) AND Processes.process IN ("*\\temp\\*", "*\\users\\public\\*", "*\\programdata\\*") - by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `possible_browser_pass_view_parameter_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*/stext *", "*/shtml *", "*/LoadPasswordsIE*", "*/LoadPasswordsFirefox*", "*/LoadPasswordsChrome*", "*/LoadPasswordsOpera*", "*/LoadPasswordsSafari*" , "*/UseOperaPasswordFile*", "*/OperaPasswordFile*","*/stab*", "*/scomma*", "*/stabular*", "*/shtml*", "*/sverhtml*", "*/sxml*", "*/skeepass*" ) AND Processes.process IN ("*\\temp\\*", "*\\users\\public\\*", "*\\programdata\\*") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_browser_pass_view_parameter_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: False positive is quite limited. Filter is needed references: - https://www.nirsoft.net/utils/web_browser_password.html @@ -81,7 +57,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/web_browser_pass_view/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/web_browser_pass_view/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml index 21bfe68af4..17658c4af8 100644 --- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml +++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml @@ -20,12 +20,12 @@ references: - https://attack.mitre.org/techniques/T1053/005/ - https://attack.mitre.org/techniques/T1543/003/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/potential_password_in_username.yml b/detections/endpoint/potential_password_in_username.yml index 39f7b987f6..737b295ebe 100644 --- a/detections/endpoint/potential_password_in_username.yml +++ b/detections/endpoint/potential_password_in_username.yml @@ -5,37 +5,12 @@ date: '2024-10-17' author: Mikael Bjerkeland, Splunk status: production type: Hunting -description: The following analytic identifies instances where users may have mistakenly - entered their passwords in the username field during authentication attempts. It - detects this by analyzing failed authentication events with usernames longer than - 7 characters and high Shannon entropy, followed by a successful authentication from - the same source to the same destination. This activity is significant as it can - indicate potential security risks, such as password exposure. If confirmed malicious, - attackers could exploit this to gain unauthorized access, leading to potential data - breaches or further compromise of the system. +description: The following analytic identifies instances where users may have mistakenly entered their passwords in the username field during authentication attempts. It detects this by analyzing failed authentication events with usernames longer than 7 characters and high Shannon entropy, followed by a successful authentication from the same source to the same destination. This activity is significant as it can indicate potential security risks, such as password exposure. If confirmed malicious, attackers could exploit this to gain unauthorized access, leading to potential data breaches or further compromise of the system. data_source: - Linux Secure -search: '| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) - AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) - AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Failed_Authentication - BY "Authentication.user" | `drop_dm_object_name(Authentication)` | lookup ut_shannon_lookup - word AS user | where ut_shannon>3 AND len(user)>=8 AND mvcount(src) == 1 | sort - count, - ut_shannon | eval incorrect_cred=user | eval endtime=endtime+1000 | map - maxsearches=70 search="| tstats `security_content_summariesonly` earliest(_time) - AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) - AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE - nodename=Authentication.Successful_Authentication Authentication.src=\"$src$\" Authentication.dest=\"$dest$\" - sourcetype IN (\"$sourcetype$\") earliest=\"$starttime$\" latest=\"$endtime$\" BY - \"Authentication.user\" | `drop_dm_object_name(\"Authentication\")` | `potential_password_in_username_false_positive_reduction` - | eval incorrect_cred=\"$incorrect_cred$\" | eval ut_shannon=\"$ut_shannon$\" | - sort count" | where user!=incorrect_cred | outlier action=RM count | `potential_password_in_username_filter`' -how_to_implement: To successfully implement this search, you need to have relevant - authentication logs mapped to the Authentication data model. You also need to have - the Splunk TA URL Toolbox (https://splunkbase.splunk.com/app/2734/) installed. The - detection must run with a time interval shorter than endtime+1000. -known_false_positives: Valid usernames with high entropy or source/destination system - pairs with multiple authenticating users will make it difficult to identify the - real user authenticating. +search: '| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Failed_Authentication BY "Authentication.user" | `drop_dm_object_name(Authentication)` | lookup ut_shannon_lookup word AS user | where ut_shannon>3 AND len(user)>=8 AND mvcount(src) == 1 | sort count, - ut_shannon | eval incorrect_cred=user | eval endtime=endtime+1000 | map maxsearches=70 search="| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Successful_Authentication Authentication.src=\"$src$\" Authentication.dest=\"$dest$\" sourcetype IN (\"$sourcetype$\") earliest=\"$starttime$\" latest=\"$endtime$\" BY \"Authentication.user\" | `drop_dm_object_name(\"Authentication\")` | `potential_password_in_username_false_positive_reduction` | eval incorrect_cred=\"$incorrect_cred$\" | eval ut_shannon=\"$ut_shannon$\" | sort count" | where user!=incorrect_cred | outlier action=RM count | `potential_password_in_username_filter`' +how_to_implement: To successfully implement this search, you need to have relevant authentication logs mapped to the Authentication data model. You also need to have the Splunk TA URL Toolbox (https://splunkbase.splunk.com/app/2734/) installed. The detection must run with a time interval shorter than endtime+1000. +known_false_positives: Valid usernames with high entropy or source/destination system pairs with multiple authenticating users will make it difficult to identify the real user authenticating. references: - https://medium.com/@markmotig/search-for-passwords-accidentally-typed-into-the-username-field-975f1a389928 tags: @@ -76,7 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.001/password_in_username/linux_secure.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.001/password_in_username/linux_secure.log source: /var/log/secure sourcetype: linux_secure diff --git a/detections/endpoint/potentially_malicious_code_on_commandline.yml b/detections/endpoint/potentially_malicious_code_on_commandline.yml index 815895c903..4a5fc719a2 100644 --- a/detections/endpoint/potentially_malicious_code_on_commandline.yml +++ b/detections/endpoint/potentially_malicious_code_on_commandline.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1059/003/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml index 1ae238e9ec..93a2878a86 100644 --- a/detections/endpoint/powershell_4104_hunting.yml +++ b/detections/endpoint/powershell_4104_hunting.yml @@ -5,47 +5,11 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies suspicious PowerShell execution using - Script Block Logging (EventCode 4104). It leverages specific patterns and keywords - within the ScriptBlockText field to detect potentially malicious activities. This - detection is significant for SOC analysts as PowerShell is commonly used by attackers - for various malicious purposes, including code execution, privilege escalation, - and persistence. If confirmed malicious, this activity could allow attackers to - execute arbitrary commands, exfiltrate data, or maintain long-term access to the - compromised system, posing a severe threat to the organization's security. +description: The following analytic identifies suspicious PowerShell execution using Script Block Logging (EventCode 4104). It leverages specific patterns and keywords within the ScriptBlockText field to detect potentially malicious activities. This detection is significant for SOC analysts as PowerShell is commonly used by attackers for various malicious purposes, including code execution, privilege escalation, and persistence. If confirmed malicious, this activity could allow attackers to execute arbitrary commands, exfiltrate data, or maintain long-term access to the compromised system, posing a severe threat to the organization's security. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,"(?i)(\$doit)"), - "4", 0) | eval enccom=if(match(ScriptBlockText,"[A-Za-z0-9+\/]{44,}([A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}==)") - OR match(ScriptBlockText, "(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-]"),4,0) | - eval suspcmdlet=if(match(ScriptBlockText, "(?i)Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\S+|invoke-\S+hunter|Install-Service|get-\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut|Invoke-ShellCommand"),1,0) - | eval base64 = if(match(lower(ScriptBlockText),"frombase64"), "4", 0) | eval empire=if(match(lower(ScriptBlockText),"system.net.webclient") - AND match(lower(ScriptBlockText), "frombase64string") ,5,0) | eval mimikatz=if(match(lower(ScriptBlockText),"mimikatz") - OR match(lower(ScriptBlockText), "-dumpcr") OR match(lower(ScriptBlockText), "SEKURLSA::Pth") - OR match(lower(ScriptBlockText), "kerberos::ptt") OR match(lower(ScriptBlockText), - "kerberos::golden") ,5,0) | eval iex=if(match(ScriptBlockText, "(?i)iex|invoke-expression"),2,0) - | eval webclient=if(match(lower(ScriptBlockText),"http") OR match(lower(ScriptBlockText),"web(client|request)") - OR match(lower(ScriptBlockText),"socket") OR match(lower(ScriptBlockText),"download(file|string)") - OR match(lower(ScriptBlockText),"bitstransfer") OR match(lower(ScriptBlockText),"internetexplorer.application") - OR match(lower(ScriptBlockText),"xmlhttp"),5,0) | eval get = if(match(lower(ScriptBlockText),"get-"), - "1", 0) | eval rundll32 = if(match(lower(ScriptBlockText),"rundll32"), "4", 0) | - eval suspkeywrd=if(match(ScriptBlockText, "(?i)(bitstransfer|mimik|metasp|AssemblyBuilderAccess|Reflection\.Assembly|shellcode|injection|cnvert|shell\.application|start-process|Rc4ByteStream|System\.Security\.Cryptography|lsass\.exe|localadmin|LastLoggedOn|hijack|BackupPrivilege|ngrok|comsvcs|backdoor|brute.?force|Port.?Scan|Exfiltration|exploit|DisableRealtimeMonitoring|beacon)"),1,0) - | eval syswow64 = if(match(lower(ScriptBlockText),"syswow64"), "3", 0) | eval httplocal - = if(match(lower(ScriptBlockText),"http://127.0.0.1"), "4", 0) | eval reflection - = if(match(lower(ScriptBlockText),"reflection"), "1", 0) | eval invokewmi=if(match(lower(ScriptBlockText), - "(?i)(wmiobject|WMIMethod|RemoteWMI|PowerShellWmi|wmicommand)"),5,0) | eval downgrade=if(match(ScriptBlockText, - "(?i)([-]ve*r*s*i*o*n*\s+2)") OR match(lower(ScriptBlockText),"powershell -version"),3,0) - | eval compressed=if(match(ScriptBlockText, "(?i)GZipStream|::Decompress|IO.Compression|write-zip|(expand|compress)-Archive"),5,0) - | eval invokecmd = if(match(lower(ScriptBlockText),"invoke-command"), "4", 0) | - addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade, - mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, - invokecmd, base64, get | stats values(Score) by UserID, Computer, DoIt, enccom, - compressed, downgrade, iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal, - reflection, invokewmi, invokecmd, base64, get, suspcmdlet, suspkeywrd | rename Computer - as dest, UserID as user | `powershell_4104_hunting_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs - to be imported. Modify the powershell macro as needed to match the sourcetype or - add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +search: '`powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,"(?i)(\$doit)"), "4", 0) | eval enccom=if(match(ScriptBlockText,"[A-Za-z0-9+\/]{44,}([A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}==)") OR match(ScriptBlockText, "(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-]"),4,0) | eval suspcmdlet=if(match(ScriptBlockText, "(?i)Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\S+|invoke-\S+hunter|Install-Service|get-\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut|Invoke-ShellCommand"),1,0) | eval base64 = if(match(lower(ScriptBlockText),"frombase64"), "4", 0) | eval empire=if(match(lower(ScriptBlockText),"system.net.webclient") AND match(lower(ScriptBlockText), "frombase64string") ,5,0) | eval mimikatz=if(match(lower(ScriptBlockText),"mimikatz") OR match(lower(ScriptBlockText), "-dumpcr") OR match(lower(ScriptBlockText), "SEKURLSA::Pth") OR match(lower(ScriptBlockText), "kerberos::ptt") OR match(lower(ScriptBlockText), "kerberos::golden") ,5,0) | eval iex=if(match(ScriptBlockText, "(?i)iex|invoke-expression"),2,0) | eval webclient=if(match(lower(ScriptBlockText),"http") OR match(lower(ScriptBlockText),"web(client|request)") OR match(lower(ScriptBlockText),"socket") OR match(lower(ScriptBlockText),"download(file|string)") OR match(lower(ScriptBlockText),"bitstransfer") OR match(lower(ScriptBlockText),"internetexplorer.application") OR match(lower(ScriptBlockText),"xmlhttp"),5,0) | eval get = if(match(lower(ScriptBlockText),"get-"), "1", 0) | eval rundll32 = if(match(lower(ScriptBlockText),"rundll32"), "4", 0) | eval suspkeywrd=if(match(ScriptBlockText, "(?i)(bitstransfer|mimik|metasp|AssemblyBuilderAccess|Reflection\.Assembly|shellcode|injection|cnvert|shell\.application|start-process|Rc4ByteStream|System\.Security\.Cryptography|lsass\.exe|localadmin|LastLoggedOn|hijack|BackupPrivilege|ngrok|comsvcs|backdoor|brute.?force|Port.?Scan|Exfiltration|exploit|DisableRealtimeMonitoring|beacon)"),1,0) | eval syswow64 = if(match(lower(ScriptBlockText),"syswow64"), "3", 0) | eval httplocal = if(match(lower(ScriptBlockText),"http://127.0.0.1"), "4", 0) | eval reflection = if(match(lower(ScriptBlockText),"reflection"), "1", 0) | eval invokewmi=if(match(lower(ScriptBlockText), "(?i)(wmiobject|WMIMethod|RemoteWMI|PowerShellWmi|wmicommand)"),5,0) | eval downgrade=if(match(ScriptBlockText, "(?i)([-]ve*r*s*i*o*n*\s+2)") OR match(lower(ScriptBlockText),"powershell -version"),3,0) | eval compressed=if(match(ScriptBlockText, "(?i)GZipStream|::Decompress|IO.Compression|write-zip|(expand|compress)-Archive"),5,0) | eval invokecmd = if(match(lower(ScriptBlockText),"invoke-command"), "4", 0) | addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade, mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get | stats values(Score) by UserID, Computer, DoIt, enccom, compressed, downgrade, iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get, suspcmdlet, suspkeywrd | rename Computer as dest, UserID as user | `powershell_4104_hunting_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Limited false positives. May filter as needed. references: - https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/powershell_qualifiers.md @@ -70,8 +34,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: Powershell was identified on endpoint $host$ by user $user$ executing suspicious - commands. + message: Powershell was identified on endpoint $host$ by user $user$ executing suspicious commands. mitre_attack_id: - T1059 - T1059.001 @@ -100,7 +63,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml index a4e5f36a97..60634905c0 100644 --- a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml +++ b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml @@ -5,36 +5,14 @@ date: '2024-10-17' author: David Dorsey, Michael Haag Splunk status: production type: Hunting -description: The following analytic detects PowerShell commands using the WindowStyle - parameter to hide the window while connecting to the Internet. This behavior is - identified through Endpoint Detection and Response (EDR) telemetry, focusing on - command-line executions that include variations of the WindowStyle parameter. This - activity is significant because it attempts to bypass default PowerShell execution - policies and conceal its actions, which is often indicative of malicious intent. - If confirmed malicious, this could allow an attacker to execute commands stealthily, - potentially leading to unauthorized data exfiltration or further compromise of the - endpoint. +description: The following analytic detects PowerShell commands using the WindowStyle parameter to hide the window while connecting to the Internet. This behavior is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions that include variations of the WindowStyle parameter. This activity is significant because it attempts to bypass default PowerShell execution policies and conceal its actions, which is often indicative of malicious intent. If confirmed malicious, this could allow an attacker to execute commands stealthily, potentially leading to unauthorized data exfiltration or further compromise of the endpoint. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user - Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name - Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|– |—|―]w(in*d*o*w*s*t*y*l*e*)*\\\ - s+[^-]\") | `powershell___connect_to_internet_with_hidden_window_filter`" -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Legitimate process can have this combination of command-line - options, but it's not common. +search: "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|\u2013 |\u2014|\u2015]w(in*d*o*w*s*t*y*l*e*)*\\s+[^-]\") | `powershell___connect_to_internet_with_hidden_window_filter`" +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Legitimate process can have this combination of command-line options, but it's not common. references: - https://regexr.com/663rr - https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1 @@ -55,9 +33,7 @@ tags: cve: - CVE-2021-44228 impact: 90 - message: PowerShell processes $process$ started with parameters to modify the execution - policy of the run, run in a hidden window, and connect to the Internet on host - $dest$ executed by user $user$. + message: PowerShell processes $process$ started with parameters to modify the execution policy of the run, run in a hidden window, and connect to the Internet on host $dest$ executed by user $user$. mitre_attack_id: - T1059.001 - T1059 @@ -90,7 +66,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml b/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml index bc89b2853b..b844f42857 100644 --- a/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml +++ b/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml @@ -17,12 +17,12 @@ references: - https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_creating_thread_mutex.yml b/detections/endpoint/powershell_creating_thread_mutex.yml index 7f958ee7e4..44c7996a11 100644 --- a/detections/endpoint/powershell_creating_thread_mutex.yml +++ b/detections/endpoint/powershell_creating_thread_mutex.yml @@ -18,12 +18,12 @@ references: - https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_disable_security_monitoring.yml b/detections/endpoint/powershell_disable_security_monitoring.yml index 03c4780599..a300d30223 100644 --- a/detections/endpoint/powershell_disable_security_monitoring.yml +++ b/detections/endpoint/powershell_disable_security_monitoring.yml @@ -17,12 +17,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-15---tamper-with-windows-defender-atp-powershell - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_domain_enumeration.yml b/detections/endpoint/powershell_domain_enumeration.yml index a0ad1e3c0e..94b543f03a 100644 --- a/detections/endpoint/powershell_domain_enumeration.yml +++ b/detections/endpoint/powershell_domain_enumeration.yml @@ -18,12 +18,12 @@ references: - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_enable_powershell_remoting.yml b/detections/endpoint/powershell_enable_powershell_remoting.yml index 9096be31f3..a3a2cf6b5c 100644 --- a/detections/endpoint/powershell_enable_powershell_remoting.yml +++ b/detections/endpoint/powershell_enable_powershell_remoting.yml @@ -14,12 +14,12 @@ known_false_positives: Note that false positives may occur due to the use of the references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.3 drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_enable_smb1protocol_feature.yml b/detections/endpoint/powershell_enable_smb1protocol_feature.yml index 25badcf52e..e6dce8a619 100644 --- a/detections/endpoint/powershell_enable_smb1protocol_feature.yml +++ b/detections/endpoint/powershell_enable_smb1protocol_feature.yml @@ -15,12 +15,12 @@ references: - https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/ - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_execute_com_object.yml b/detections/endpoint/powershell_execute_com_object.yml index bdb807d8ce..834445672f 100644 --- a/detections/endpoint/powershell_execute_com_object.yml +++ b/detections/endpoint/powershell_execute_com_object.yml @@ -15,12 +15,12 @@ references: - https://threadreaderapp.com/thread/1423361119926816776.html - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml b/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml index c833a938f7..e88b97836d 100644 --- a/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml +++ b/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml @@ -18,12 +18,12 @@ references: - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml index dc74fcfff8..bca0bf2f5c 100644 --- a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml +++ b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml @@ -18,12 +18,12 @@ references: - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_get_localgroup_discovery.yml b/detections/endpoint/powershell_get_localgroup_discovery.yml index a65fdd4ba3..05fe846d76 100644 --- a/detections/endpoint/powershell_get_localgroup_discovery.yml +++ b/detections/endpoint/powershell_get_localgroup_discovery.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies the use of the `get-localgroup` command - executed via PowerShell or cmd.exe to enumerate local groups on an endpoint. This - detection leverages data from Endpoint Detection and Response (EDR) agents, focusing - on process names and command-line arguments. Monitoring this activity is significant - as it may indicate an attacker attempting to gather information about local group - memberships, which can be a precursor to privilege escalation. If confirmed malicious, - this activity could allow an attacker to identify and target privileged accounts, - potentially leading to unauthorized access and control over the system. +description: The following analytic identifies the use of the `get-localgroup` command executed via PowerShell or cmd.exe to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is significant as it may indicate an attacker attempting to gather information about local group memberships, which can be a precursor to privilege escalation. If confirmed malicious, this activity could allow an attacker to identify and target privileged accounts, potentially leading to unauthorized access and control over the system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe - OR Processes.process_name=cmd.exe) (Processes.process="*get-localgroup*") by Processes.dest - Processes.user Processes.parent_process_name Processes.process_name Processes.process - Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) (Processes.process="*get-localgroup*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: False positives may be present. Tune as needed. references: - https://attack.mitre.org/techniques/T1069/001/ @@ -77,7 +57,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml b/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml index 9df53c3d52..8cd753585b 100644 --- a/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml +++ b/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml @@ -5,23 +5,11 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: 'The following analytic detects the execution of the PowerShell cmdlet - `get-localgroup` using PowerShell Script Block Logging (EventCode=4104). This method - captures the full command sent to PowerShell, providing detailed visibility into - script execution. Monitoring this activity is significant as it can indicate an - attempt to enumerate local groups, which may be a precursor to privilege escalation - or lateral movement. If confirmed malicious, an attacker could gain insights into - group memberships, potentially leading to unauthorized access or privilege abuse. - Review parallel processes and the entire script block for comprehensive analysis.' +description: The following analytic detects the execution of the PowerShell cmdlet `get-localgroup` using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility into script execution. Monitoring this activity is significant as it can indicate an attempt to enumerate local groups, which may be a precursor to privilege escalation or lateral movement. If confirmed malicious, an attacker could gain insights into group memberships, potentially leading to unauthorized access or privilege abuse. Review parallel processes and the entire script block for comprehensive analysis. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*get-localgroup*" | stats - count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode - ScriptBlockText | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` - |`security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_with_script_block_logging_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +search: '`powershell` EventCode=4104 ScriptBlockText = "*get-localgroup*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_with_script_block_logging_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: False positives may be present. Tune as needed. references: - https://www.splunk.com/en_us/blog/security/powershell-detections-threat-research-release-august-2021.html @@ -65,7 +53,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getlocalgroup.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getlocalgroup.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml b/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml index 79d55e4974..a5008e825c 100644 --- a/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml +++ b/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml @@ -14,12 +14,12 @@ known_false_positives: False positives may be present based on third-party appli references: - https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/invoke-cimmethod?view=powershell-7.3 drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_invoke_wmiexec_usage.yml b/detections/endpoint/powershell_invoke_wmiexec_usage.yml index 992ec54da9..8a1bcd825a 100644 --- a/detections/endpoint/powershell_invoke_wmiexec_usage.yml +++ b/detections/endpoint/powershell_invoke_wmiexec_usage.yml @@ -14,12 +14,12 @@ known_false_positives: False positives should be limited as this analytic is des references: - https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1 drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_load_module_in_meterpreter.yml b/detections/endpoint/powershell_load_module_in_meterpreter.yml index ca85fdd726..f5a972b04d 100644 --- a/detections/endpoint/powershell_load_module_in_meterpreter.yml +++ b/detections/endpoint/powershell_load_module_in_meterpreter.yml @@ -14,12 +14,12 @@ known_false_positives: False positives should be very limited as this is strict references: - https://github.com/OJ/metasploit-payloads/blob/master/powershell/MSF.Powershell/Scripts.cs drilldown_searches: -- name: View the detection results for $user_id$ and $Computer$ - search: '%original_detection_search% | search user_id = $user_id$ Computer = $Computer$' +- name: View the detection results for - "$user_id$" and "$Computer$" + search: '%original_detection_search% | search user_id = "$user_id$" Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user_id$ and $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user_id$, $Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user_id$" and "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml index e82f609324..ee3260743d 100644 --- a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml +++ b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml @@ -18,12 +18,12 @@ references: - https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ drilldown_searches: -- name: View the detection results for $Computer$ and $UserID$ - search: '%original_detection_search% | search Computer = $Computer$ UserID = $UserID$' +- name: View the detection results for - "$Computer$" and "$UserID$" + search: '%original_detection_search% | search Computer = "$Computer$" UserID = "$UserID$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ and $UserID$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$, $UserID$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" and "$UserID$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$UserID$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_processing_stream_of_data.yml b/detections/endpoint/powershell_processing_stream_of_data.yml index e5f3cab610..b91f2d8e35 100644 --- a/detections/endpoint/powershell_processing_stream_of_data.yml +++ b/detections/endpoint/powershell_processing_stream_of_data.yml @@ -20,12 +20,12 @@ references: - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ drilldown_searches: -- name: View the detection results for $Computer$ and $UserID$ - search: '%original_detection_search% | search Computer = $Computer$ UserID = $UserID$' +- name: View the detection results for - "$Computer$" and "$UserID$" + search: '%original_detection_search% | search Computer = "$Computer$" UserID = "$UserID$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ and $UserID$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$, $UserID$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" and "$UserID$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$UserID$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_remote_services_add_trustedhost.yml b/detections/endpoint/powershell_remote_services_add_trustedhost.yml index 4ea2f8433f..816ed014db 100644 --- a/detections/endpoint/powershell_remote_services_add_trustedhost.yml +++ b/detections/endpoint/powershell_remote_services_add_trustedhost.yml @@ -14,12 +14,12 @@ known_false_positives: user and network administrator may used this function to references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml b/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml index 105a1f0859..73a2f148d0 100644 --- a/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml +++ b/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_remove_windows_defender_directory.yml b/detections/endpoint/powershell_remove_windows_defender_directory.yml index 2264788d7d..05784fb798 100644 --- a/detections/endpoint/powershell_remove_windows_defender_directory.yml +++ b/detections/endpoint/powershell_remove_windows_defender_directory.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ drilldown_searches: -- name: View the detection results for $Computer$ and $UserID$ - search: '%original_detection_search% | search Computer = $Computer$ UserID = $UserID$' +- name: View the detection results for - "$Computer$" and "$UserID$" + search: '%original_detection_search% | search Computer = "$Computer$" UserID = "$UserID$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ and $UserID$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$, $UserID$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" and "$UserID$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$UserID$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_script_block_with_url_chain.yml b/detections/endpoint/powershell_script_block_with_url_chain.yml index cfa9b9d202..be52270ead 100644 --- a/detections/endpoint/powershell_script_block_with_url_chain.yml +++ b/detections/endpoint/powershell_script_block_with_url_chain.yml @@ -16,12 +16,12 @@ references: - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ - https://attack.mitre.org/techniques/T1059/001/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_start_bitstransfer.yml b/detections/endpoint/powershell_start_bitstransfer.yml index 9761f9dc36..b97e51d061 100644 --- a/detections/endpoint/powershell_start_bitstransfer.yml +++ b/detections/endpoint/powershell_start_bitstransfer.yml @@ -17,12 +17,12 @@ references: - https://isc.sans.edu/diary/Investigating+Microsoft+BITS+Activity/23281 - https://docs.microsoft.com/en-us/windows/win32/bits/using-windows-powershell-to-create-bits-transfer-jobs drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_start_or_stop_service.yml b/detections/endpoint/powershell_start_or_stop_service.yml index b1a91e7e3d..3d7d48913c 100644 --- a/detections/endpoint/powershell_start_or_stop_service.yml +++ b/detections/endpoint/powershell_start_or_stop_service.yml @@ -15,12 +15,12 @@ references: - https://learn-powershell.net/2012/01/15/startingstopping-and-restarting-remote-services-with-powershell/ - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-service?view=powershell-7.3 drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_using_memory_as_backing_store.yml b/detections/endpoint/powershell_using_memory_as_backing_store.yml index 166130fdef..db4531b797 100644 --- a/detections/endpoint/powershell_using_memory_as_backing_store.yml +++ b/detections/endpoint/powershell_using_memory_as_backing_store.yml @@ -19,12 +19,12 @@ references: - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_webrequest_using_memory_stream.yml b/detections/endpoint/powershell_webrequest_using_memory_stream.yml index 1259b559a2..9d4027e600 100644 --- a/detections/endpoint/powershell_webrequest_using_memory_stream.yml +++ b/detections/endpoint/powershell_webrequest_using_memory_stream.yml @@ -16,12 +16,12 @@ references: - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ - https://attack.mitre.org/techniques/T1059/001/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml index adebb5d0f6..87a85983b1 100644 --- a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml +++ b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml @@ -16,12 +16,12 @@ references: - https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/ - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml index 293c49c6e3..e3f32be78b 100644 --- a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml +++ b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml @@ -16,12 +16,12 @@ known_false_positives: Administrators may modify the boot configuration ignore f references: - https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/print_processor_registry_autostart.yml b/detections/endpoint/print_processor_registry_autostart.yml index 9da6977202..745bfeb3a8 100644 --- a/detections/endpoint/print_processor_registry_autostart.yml +++ b/detections/endpoint/print_processor_registry_autostart.yml @@ -5,30 +5,13 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: experimental type: TTP -description: The following analytic detects suspicious modifications or new entries - in the Print Processor registry path. It leverages registry activity data from the - Endpoint data model to identify changes in the specified registry path. This activity - is significant because the Print Processor registry is known to be exploited by - APT groups like Turla for persistence and privilege escalation. If confirmed malicious, - this could allow an attacker to execute a malicious DLL payload by restarting the - spoolsv.exe process, leading to potential control over the compromised machine. +description: The following analytic detects suspicious modifications or new entries in the Print Processor registry path. It leverages registry activity data from the Endpoint data model to identify changes in the specified registry path. This activity is significant because the Print Processor registry is known to be exploited by APT groups like Turla for persistence and privilege escalation. If confirmed malicious, this could allow an attacker to execute a malicious DLL payload by restarting the spoolsv.exe process, leading to potential control over the compromised machine. data_source: -- Sysmon EventID 12 +- Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime - max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path - ="*\\Control\\Print\\Environments\\Windows x64\\Print Processors*" by Registry.dest Registry.user - Registry.registry_path Registry.registry_key_name Registry.registry_value_name | - `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` - | `print_processor_registry_autostart_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data - that records registry activity from your hosts to populate the endpoint data model - in the registry node. This is typically populated via endpoint detection-and-response - product, such as Carbon Black or endpoint data sources, such as Sysmon. The data - used for this search is typically generated via logs that report reads and writes - to the registry. -known_false_positives: possible new printer installation may add driver component - on this registry. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\Control\\Print\\Environments\\Windows x64\\Print Processors*" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `print_processor_registry_autostart_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. +known_false_positives: possible new printer installation may add driver component on this registry. references: - https://attack.mitre.org/techniques/T1547/012/ - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ @@ -70,7 +53,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/1f5b68aa-2037-11ec-898e-acde48001122.txt + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/1f5b68aa-2037-11ec-898e-acde48001122.txt source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/print_spooler_adding_a_printer_driver.yml b/detections/endpoint/print_spooler_adding_a_printer_driver.yml index 489314bd82..9de2400d2e 100644 --- a/detections/endpoint/print_spooler_adding_a_printer_driver.yml +++ b/detections/endpoint/print_spooler_adding_a_printer_driver.yml @@ -17,12 +17,12 @@ references: - https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675 - https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes drilldown_searches: -- name: View the detection results for $ComputerName$ - search: '%original_detection_search% | search ComputerName = $ComputerName$' +- name: View the detection results for - "$ComputerName$" + search: '%original_detection_search% | search ComputerName = "$ComputerName$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $ComputerName$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($ComputerName$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$ComputerName$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$ComputerName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml index 632fa1f32d..6724c98beb 100644 --- a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml +++ b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml @@ -17,12 +17,12 @@ references: - https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675 - https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes drilldown_searches: -- name: View the detection results for $ComputerName$ - search: '%original_detection_search% | search ComputerName = $ComputerName$' +- name: View the detection results for - "$ComputerName$" + search: '%original_detection_search% | search ComputerName = "$ComputerName$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $ComputerName$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($ComputerName$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$ComputerName$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$ComputerName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml index 66af7b9cb9..a92f38c750 100644 --- a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml +++ b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml @@ -16,12 +16,12 @@ references: - https://www.trendmicro.com/en_us/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html - https://twitter.com/pr0xylife/status/1590394227758104576 drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/process_deleting_its_process_file_path.yml b/detections/endpoint/process_deleting_its_process_file_path.yml index 0453c738a5..c558eea80a 100644 --- a/detections/endpoint/process_deleting_its_process_file_path.yml +++ b/detections/endpoint/process_deleting_its_process_file_path.yml @@ -18,12 +18,12 @@ references: - https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/process_execution_via_wmi.yml b/detections/endpoint/process_execution_via_wmi.yml index 715910e60d..c4e6e69d12 100644 --- a/detections/endpoint/process_execution_via_wmi.yml +++ b/detections/endpoint/process_execution_via_wmi.yml @@ -15,12 +15,12 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: Although unlikely, administrators may use wmi to execute commands for legitimate purposes. references: [] drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/process_kill_base_on_file_path.yml b/detections/endpoint/process_kill_base_on_file_path.yml index 4bc9c12cc1..95353e08e2 100644 --- a/detections/endpoint/process_kill_base_on_file_path.yml +++ b/detections/endpoint/process_kill_base_on_file_path.yml @@ -16,12 +16,12 @@ known_false_positives: Unknown. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/process_writing_dynamicwrapperx.yml b/detections/endpoint/process_writing_dynamicwrapperx.yml index a43ade5afd..cbbc2efa2c 100644 --- a/detections/endpoint/process_writing_dynamicwrapperx.yml +++ b/detections/endpoint/process_writing_dynamicwrapperx.yml @@ -5,36 +5,12 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects a process writing the dynwrapx.dll file - to disk and registering it in the registry. It leverages data from the Endpoint - datamodel, specifically monitoring process and filesystem events. This activity - is significant because DynamicWrapperX is an ActiveX component often used in scripts - to call Windows API functions, and its presence in non-standard locations is highly - suspicious. If confirmed malicious, this could allow an attacker to execute arbitrary - code, escalate privileges, or maintain persistence within the environment. Immediate - investigation of parallel processes and registry modifications is recommended. +description: The following analytic detects a process writing the dynwrapx.dll file to disk and registering it in the registry. It leverages data from the Endpoint datamodel, specifically monitoring process and filesystem events. This activity is significant because DynamicWrapperX is an ActiveX component often used in scripts to call Windows API functions, and its presence in non-standard locations is highly suspicious. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment. Immediate investigation of parallel processes and registry modifications is recommended. data_source: - Sysmon EventID 1 AND Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes - by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid - Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats - `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where - Filesystem.file_name="dynwrapx.dll" by _time Filesystem.dest Filesystem.file_create_time - Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user - | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name - file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) - as lastTime by dest process_name process_guid file_name file_path file_create_time - user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `process_writing_dynamicwrapperx_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` - node. In addition, confirm the latest CIM App 4.20 or higher is installed and the - latest TA for the endpoint product. -known_false_positives: False positives should be limited, however it is possible to - filter by Processes.process_name and specific processes (ex. wscript.exe). Filter - as needed. This may need modification based on EDR telemetry and how it brings in - registry data. For example, removal of (Default). +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="dynwrapx.dll" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_writing_dynamicwrapperx_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +known_false_positives: False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default). references: - https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/ - https://www.script-coding.com/dynwrapx_eng.html @@ -47,8 +23,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: An instance of $process_name$ was identified on endpoint $dest$ downloading - the DynamicWrapperX dll. + message: An instance of $process_name$ was identified on endpoint $dest$ downloading the DynamicWrapperX dll. mitre_attack_id: - T1059 - T1559.001 @@ -82,7 +57,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/processes_launching_netsh.yml b/detections/endpoint/processes_launching_netsh.yml index 3652afa0cc..112b405b55 100644 --- a/detections/endpoint/processes_launching_netsh.yml +++ b/detections/endpoint/processes_launching_netsh.yml @@ -16,12 +16,12 @@ known_false_positives: Some VPN applications are known to launch netsh.exe. Outs references: - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/processes_tapping_keyboard_events.yml b/detections/endpoint/processes_tapping_keyboard_events.yml index 470fd0eb7d..fbf470d945 100644 --- a/detections/endpoint/processes_tapping_keyboard_events.yml +++ b/detections/endpoint/processes_tapping_keyboard_events.yml @@ -5,28 +5,11 @@ date: '2024-10-17' author: Jose Hernandez, Splunk status: experimental type: TTP -description: The following analytic detects processes on macOS systems that are tapping - keyboard events, potentially monitoring all keystrokes made by a user. It leverages - data from osquery results within the Alerts data model, focusing on specific process - names and command lines. This activity is significant as it is a common technique - used by Remote Access Trojans (RATs) to log keystrokes, posing a serious security - risk. If confirmed malicious, this could lead to unauthorized access to sensitive - information, including passwords and personal data, compromising the integrity and - confidentiality of the system. +description: The following analytic detects processes on macOS systems that are tapping keyboard events, potentially monitoring all keystrokes made by a user. It leverages data from osquery results within the Alerts data model, focusing on specific process names and command lines. This activity is significant as it is a common technique used by Remote Access Trojans (RATs) to log keystrokes, posing a serious security risk. If confirmed malicious, this could lead to unauthorized access to sensitive information, including passwords and personal data, compromising the integrity and confidentiality of the system. data_source: [] -search: '| from datamodel Alerts.Alerts | search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps - | rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id| - dedup host,process_name | table host,process_name, cmd, process_id | `processes_tapping_keyboard_events_filter`' -how_to_implement: In order to properly run this search, Splunk needs to ingest data - from your osquery deployed agents with the - [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) - pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must - be deployed across your indexers and universal forwarders in order to have the osquery - data populate the Alerts data model. -known_false_positives: There might be some false positives as keyboard event taps - are used by processes like Siri and Zoom video chat, for some good examples of processes - to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) - comment. +search: '| from datamodel Alerts.Alerts | search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps | rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id| dedup host,process_name | table host,process_name, cmd, process_id | `processes_tapping_keyboard_events_filter`' +how_to_implement: In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model. +known_false_positives: There might be some false positives as keyboard event taps are used by processes like Siri and Zoom video chat, for some good examples of processes to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) comment. references: [] tags: analytic_story: diff --git a/detections/endpoint/randomly_generated_scheduled_task_name.yml b/detections/endpoint/randomly_generated_scheduled_task_name.yml index d2c2f30411..2520f7ecd4 100644 --- a/detections/endpoint/randomly_generated_scheduled_task_name.yml +++ b/detections/endpoint/randomly_generated_scheduled_task_name.yml @@ -5,22 +5,11 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: experimental type: Hunting -description: The following analytic detects the creation of a Scheduled Task with - a high entropy, randomly generated name, leveraging Event ID 4698. It uses the `ut_shannon` - function from the URL ToolBox Splunk application to measure the entropy of the Task - Name. This activity is significant as adversaries often use randomly named Scheduled - Tasks for lateral movement and remote code execution, employing tools like Impacket - or CrackMapExec. If confirmed malicious, this could allow attackers to execute arbitrary - code remotely, potentially leading to further compromise and persistence within - the network. +description: The following analytic detects the creation of a Scheduled Task with a high entropy, randomly generated name, leveraging Event ID 4698. It uses the `ut_shannon` function from the URL ToolBox Splunk application to measure the entropy of the Task Name. This activity is significant as adversaries often use randomly named Scheduled Tasks for lateral movement and remote code execution, employing tools like Impacket or CrackMapExec. If confirmed malicious, this could allow attackers to execute arbitrary code remotely, potentially leading to further compromise and persistence within the network. data_source: - Windows Event Log Security 4698 -search: '`wineventlog_security` EventCode=4698 | xmlkv Message | lookup ut_shannon_lookup - word as Task_Name | where ut_shannon > 3 | table _time, dest, Task_Name, ut_shannon, - Command, Author, Enabled, Hidden | `randomly_generated_scheduled_task_name_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well - as the URL ToolBox application are also required. +search: '`wineventlog_security` EventCode=4698 | xmlkv Message | lookup ut_shannon_lookup word as Task_Name | where ut_shannon > 3 | table _time, dest, Task_Name, ut_shannon, Command, Author, Enabled, Hidden | `randomly_generated_scheduled_task_name_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well as the URL ToolBox application are also required. known_false_positives: Legitimate applications may use random Scheduled Task names. references: - https://attack.mitre.org/techniques/T1053/005/ diff --git a/detections/endpoint/randomly_generated_windows_service_name.yml b/detections/endpoint/randomly_generated_windows_service_name.yml index 5b1596ea03..b1c573d7c5 100644 --- a/detections/endpoint/randomly_generated_windows_service_name.yml +++ b/detections/endpoint/randomly_generated_windows_service_name.yml @@ -5,22 +5,11 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: experimental type: Hunting -description: The following analytic detects the installation of a Windows Service - with a suspicious, high-entropy name, indicating potential malicious activity. It - leverages Event ID 7045 and the `ut_shannon` function from the URL ToolBox Splunk - application to identify services with random names. This behavior is significant - as adversaries often use randomly named services for lateral movement and remote - code execution. If confirmed malicious, this activity could allow attackers to execute - arbitrary code, escalate privileges, or maintain persistence within the environment. +description: The following analytic detects the installation of a Windows Service with a suspicious, high-entropy name, indicating potential malicious activity. It leverages Event ID 7045 and the `ut_shannon` function from the URL ToolBox Splunk application to identify services with random names. This behavior is significant as adversaries often use randomly named services for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment. data_source: - Windows Event Log System 7045 -search: '`wineventlog_system` EventCode=7045 | lookup ut_shannon_lookup word as Service_Name - | where ut_shannon > 3 | table EventCode ComputerName Service_Name ut_shannon Service_Start_Type - Service_Type Service_File_Name | `randomly_generated_windows_service_name_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the Service name, Service File Name Service Start type, and Service Type - from your endpoints. The Windows TA as well as the URL ToolBox application are also - required. +search: '`wineventlog_system` EventCode=7045 | lookup ut_shannon_lookup word as Service_Name | where ut_shannon > 3 | table EventCode ComputerName Service_Name ut_shannon Service_Start_Type Service_Type Service_File_Name | `randomly_generated_windows_service_name_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. The Windows TA as well as the URL ToolBox application are also required. known_false_positives: Legitimate applications may use random Windows Service names. references: - https://attack.mitre.org/techniques/T1543/003/ diff --git a/detections/endpoint/ransomware_notes_bulk_creation.yml b/detections/endpoint/ransomware_notes_bulk_creation.yml index 2a4003ed38..0b70a6b0b5 100644 --- a/detections/endpoint/ransomware_notes_bulk_creation.yml +++ b/detections/endpoint/ransomware_notes_bulk_creation.yml @@ -15,12 +15,12 @@ references: - https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft - https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml index 59d3328d20..7d794c7161 100644 --- a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml +++ b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml @@ -19,12 +19,12 @@ references: - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/recon_using_wmi_class.yml b/detections/endpoint/recon_using_wmi_class.yml index edb585c7fd..3bdd604c44 100644 --- a/detections/endpoint/recon_using_wmi_class.yml +++ b/detections/endpoint/recon_using_wmi_class.yml @@ -21,12 +21,12 @@ references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml index 428aeee563..8952a38ecb 100644 --- a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml +++ b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml @@ -16,12 +16,12 @@ known_false_positives: network operator may use this batch command to delete rec references: - https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml index 9ee0c51b10..9350f9d234 100644 --- a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml +++ b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml @@ -15,12 +15,12 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: It is unusual for a service to be created or modified by directly manipulating the registry. However, there may be legitimate instances of this behavior. It is important to validate and investigate, as appropriate. references: [] drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/registry_keys_for_creating_shim_databases.yml b/detections/endpoint/registry_keys_for_creating_shim_databases.yml index 32f973e0d0..0056b1b9f5 100644 --- a/detections/endpoint/registry_keys_for_creating_shim_databases.yml +++ b/detections/endpoint/registry_keys_for_creating_shim_databases.yml @@ -14,12 +14,12 @@ how_to_implement: To successfully implement this search, you need to be ingestin known_false_positives: There are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications references: [] drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 13f25a14ca..69a5ecd970 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -14,12 +14,12 @@ how_to_implement: To successfully implement this search, you must be ingesting d known_false_positives: There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task. references: [] drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml index cf70d6c270..55221706f7 100644 --- a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml +++ b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml @@ -15,12 +15,12 @@ known_false_positives: There are many legitimate applications that must execute references: - https://blog.malwarebytes.com/101/2015/12/an-introduction-to-image-file-execution-options/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml index 227e068b58..57d92f765d 100644 --- a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml +++ b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml @@ -17,12 +17,12 @@ references: - https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/ - https://attack.mitre.org/techniques/T1218/010/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml index e4a08f5f39..9cd05c803f 100644 --- a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml +++ b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml @@ -17,12 +17,12 @@ references: - https://app.any.run/tasks/56680cba-2bbc-4b34-8633-5f7878ddf858/ - https://regexr.com/699e2 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/remcos_client_registry_install_entry.yml b/detections/endpoint/remcos_client_registry_install_entry.yml index 08429e0d7f..d1b295fb0b 100644 --- a/detections/endpoint/remcos_client_registry_install_entry.yml +++ b/detections/endpoint/remcos_client_registry_install_entry.yml @@ -18,12 +18,12 @@ known_false_positives: unknown references: - https://attack.mitre.org/software/S0332/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml b/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml index 71af1cede3..c716bd1ab2 100644 --- a/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml +++ b/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml @@ -15,12 +15,12 @@ references: - https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US - https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/remote_desktop_process_running_on_system.yml b/detections/endpoint/remote_desktop_process_running_on_system.yml index abb5784745..ae2c77d13d 100644 --- a/detections/endpoint/remote_desktop_process_running_on_system.yml +++ b/detections/endpoint/remote_desktop_process_running_on_system.yml @@ -5,32 +5,13 @@ date: '2024-10-17' author: David Dorsey, Splunk status: experimental type: Hunting -description: The following analytic detects the execution of the remote desktop process - (mstsc.exe) on systems where it is not typically run. This detection leverages data - from Endpoint Detection and Response (EDR) agents, filtering out systems categorized - as common RDP sources. This activity is significant because unauthorized use of - mstsc.exe can indicate lateral movement or unauthorized remote access attempts. - If confirmed malicious, this could allow an attacker to gain remote control of a - system, potentially leading to data exfiltration, privilege escalation, or further - network compromise. +description: The following analytic detects the execution of the remote desktop process (mstsc.exe) on systems where it is not typically run. This detection leverages data from Endpoint Detection and Response (EDR) agents, filtering out systems categorized as common RDP sources. This activity is significant because unauthorized use of mstsc.exe can indicate lateral movement or unauthorized remote access attempts. If confirmed malicious, this could allow an attacker to gain remote control of a system, potentially leading to data exfiltration, privilege escalation, or further network compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process=*mstsc.exe - AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user - Processes.process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `drop_dm_object_name(Processes)` | `remote_desktop_process_running_on_system_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*mstsc.exe AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user Processes.process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `remote_desktop_process_running_on_system_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Remote Desktop may be used legitimately by users on the network. references: [] tags: diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml index 589d1cefd6..d1ac027894 100644 --- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1021/003/ - https://www.cybereason.com/blog/dcom-lateral-movement-techniques drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml index 51e2ef8ac4..17d0175780 100644 --- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml +++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1021/003/ - https://www.cybereason.com/blog/dcom-lateral-movement-techniques drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml index 1c6904d7ba..bd63fa4598 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1021/006/ - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml index fd1f0ce2b2..3b868252cd 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1021/006/ - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml index c3c4ab26b8..328a38a745 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml @@ -17,12 +17,12 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/winrs - https://attack.mitre.org/techniques/T1021/006/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/remote_process_instantiation_via_wmi.yml b/detections/endpoint/remote_process_instantiation_via_wmi.yml index 7675f13952..531c6b55c2 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1047/ - https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/create-method-in-class-win32-process drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml index e80a770760..1dc6f57353 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1047/ - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/invoke-wmimethod?view=powershell-5.1 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml index 3c3879df98..542c97e39c 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1047/ - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/invoke-wmimethod?view=powershell-5.1 drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/remote_system_discovery_with_adsisearcher.yml b/detections/endpoint/remote_system_discovery_with_adsisearcher.yml index 8cc28c0148..fc6c0281c4 100644 --- a/detections/endpoint/remote_system_discovery_with_adsisearcher.yml +++ b/detections/endpoint/remote_system_discovery_with_adsisearcher.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1018/ - https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/remote_system_discovery_with_dsquery.yml b/detections/endpoint/remote_system_discovery_with_dsquery.yml index 68c47c899a..fd2bd3832c 100644 --- a/detections/endpoint/remote_system_discovery_with_dsquery.yml +++ b/detections/endpoint/remote_system_discovery_with_dsquery.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `dsquery.exe` with the - `computer` argument, which is used to discover remote systems within a domain. This - detection leverages data from Endpoint Detection and Response (EDR) agents, focusing - on process names and command-line arguments. Remote system discovery is significant - as it indicates potential reconnaissance activities by adversaries or Red Teams - to map out network resources and Active Directory structures. If confirmed malicious, - this activity could lead to further exploitation, lateral movement, and unauthorized - access to critical systems within the network. +description: The following analytic detects the execution of `dsquery.exe` with the `computer` argument, which is used to discover remote systems within a domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Remote system discovery is significant as it indicates potential reconnaissance activities by adversaries or Red Teams to map out network resources and Active Directory structures. If confirmed malicious, this activity could lead to further exploitation, lateral movement, and unauthorized access to critical systems within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dsquery.exe") - (Processes.process="*computer*") by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `remote_system_discovery_with_dsquery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dsquery.exe") (Processes.process="*computer*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_dsquery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ @@ -71,7 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/remote_system_discovery_with_net.yml b/detections/endpoint/remote_system_discovery_with_net.yml index 09d34afbec..4a0370e951 100644 --- a/detections/endpoint/remote_system_discovery_with_net.yml +++ b/detections/endpoint/remote_system_discovery_with_net.yml @@ -5,34 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies the execution of `net.exe` or `net1.exe` - with command-line arguments used to discover remote systems, such as `domain computers - /domain`. This detection leverages data from Endpoint Detection and Response (EDR) - agents, focusing on process names and command-line arguments. This activity is significant - as it indicates potential reconnaissance efforts by adversaries or Red Teams to - map out networked systems and Active Directory structures. If confirmed malicious, - this behavior could lead to further network exploitation, privilege escalation, - or lateral movement within the environment. +description: The following analytic identifies the execution of `net.exe` or `net1.exe` with command-line arguments used to discover remote systems, such as `domain computers /domain`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out networked systems and Active Directory structures. If confirmed malicious, this behavior could lead to further network exploitation, privilege escalation, or lateral movement within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" - OR Processes.process_name="net1.exe") (Processes.process="*domain computers*" AND - Processes.process=*/do*) OR (Processes.process="*view*" AND Processes.process=*/do*) - by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_net_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" OR Processes.process_name="net1.exe") (Processes.process="*domain computers*" AND Processes.process=*/do*) OR (Processes.process="*view*" AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_net_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1018/ @@ -73,7 +52,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/remote_system_discovery_with_wmic.yml b/detections/endpoint/remote_system_discovery_with_wmic.yml index 5f77a0e44e..7678004cbd 100644 --- a/detections/endpoint/remote_system_discovery_with_wmic.yml +++ b/detections/endpoint/remote_system_discovery_with_wmic.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1018/ - https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmic drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/remote_wmi_command_attempt.yml b/detections/endpoint/remote_wmi_command_attempt.yml index 4fba52b239..5b53da8d9b 100644 --- a/detections/endpoint/remote_wmi_command_attempt.yml +++ b/detections/endpoint/remote_wmi_command_attempt.yml @@ -18,12 +18,12 @@ references: - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/resize_shadowstorage_volume.yml b/detections/endpoint/resize_shadowstorage_volume.yml index 09843f4031..5a20472e2c 100644 --- a/detections/endpoint/resize_shadowstorage_volume.yml +++ b/detections/endpoint/resize_shadowstorage_volume.yml @@ -20,12 +20,12 @@ references: - https://redcanary.com/blog/blackbyte-ransomware/ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-resize-shadowstorage drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/revil_common_exec_parameter.yml b/detections/endpoint/revil_common_exec_parameter.yml index 62fc3cb05e..24718860a8 100644 --- a/detections/endpoint/revil_common_exec_parameter.yml +++ b/detections/endpoint/revil_common_exec_parameter.yml @@ -17,12 +17,12 @@ references: - https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/ - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/revil_registry_entry.yml b/detections/endpoint/revil_registry_entry.yml index b1bb1ad686..dee2de3271 100644 --- a/detections/endpoint/revil_registry_entry.yml +++ b/detections/endpoint/revil_registry_entry.yml @@ -19,12 +19,12 @@ references: - https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/ - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/rubeus_command_line_parameters.yml b/detections/endpoint/rubeus_command_line_parameters.yml index 2e92782e7f..fb8429edb0 100644 --- a/detections/endpoint/rubeus_command_line_parameters.yml +++ b/detections/endpoint/rubeus_command_line_parameters.yml @@ -19,12 +19,12 @@ references: - https://attack.mitre.org/techniques/T1550/003/ - https://en.hackndo.com/kerberos-silver-golden-tickets/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml index f5d3865ec3..14ef443792 100644 --- a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml +++ b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml @@ -16,12 +16,12 @@ references: - https://web.archive.org/web/20210725005734/http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ - https://attack.mitre.org/techniques/T1550/003/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/runas_execution_in_commandline.yml b/detections/endpoint/runas_execution_in_commandline.yml index 9a31353123..d8459f2780 100644 --- a/detections/endpoint/runas_execution_in_commandline.yml +++ b/detections/endpoint/runas_execution_in_commandline.yml @@ -5,36 +5,14 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of the runas.exe process - with administrator user options. It leverages data from Endpoint Detection and Response - (EDR) agents, focusing on command-line executions and process details. This activity - is significant as it may indicate an attempt to gain elevated privileges, a common - tactic in privilege escalation and lateral movement. If confirmed malicious, this - could allow an attacker to execute commands with higher privileges, potentially - leading to unauthorized access, data exfiltration, or further compromise of the - target host. +description: The following analytic detects the execution of the runas.exe process with administrator user options. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an attempt to gain elevated privileges, a common tactic in privilege escalation and lateral movement. If confirmed malicious, this could allow an attacker to execute commands with higher privileges, potentially leading to unauthorized access, data exfiltration, or further compromise of the target host. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_runas` AND Processes.process - = "*/user:*" AND Processes.process = "*admin*" by Processes.dest Processes.user - Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process - Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `runas_execution_in_commandline_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: A network operator or systems administrator may utilize an - automated or manual execute this command that may generate false positives. filter - is needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_runas` AND Processes.process = "*/user:*" AND Processes.process = "*admin*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `runas_execution_in_commandline_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: A network operator or systems administrator may utilize an automated or manual execute this command that may generate false positives. filter is needed. references: - https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/ tags: @@ -73,7 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/rundll32_control_rundll_hunt.yml b/detections/endpoint/rundll32_control_rundll_hunt.yml index 0069562635..5bea3eb21e 100644 --- a/detections/endpoint/rundll32_control_rundll_hunt.yml +++ b/detections/endpoint/rundll32_control_rundll_hunt.yml @@ -5,35 +5,14 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies instances of rundll32.exe executing - with `Control_RunDLL` in the command line, which is indicative of loading a .cpl - or other file types. This detection leverages data from Endpoint Detection and Response - (EDR) agents, focusing on process execution logs and command-line arguments. This - activity is significant as rundll32.exe can be exploited to execute malicious Control - Panel Item files, potentially linked to CVE-2021-40444. If confirmed malicious, - this could allow attackers to execute arbitrary code, escalate privileges, or maintain - persistence within the environment. +description: The following analytic identifies instances of rundll32.exe executing with `Control_RunDLL` in the command line, which is indicative of loading a .cpl or other file types. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as rundll32.exe can be exploited to execute malicious Control Panel Item files, potentially linked to CVE-2021-40444. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* by - Processes.dest Processes.user Processes.parent_process_name Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `rundll32_control_rundll_hunt_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: This is a hunting detection, meant to provide a understanding - of how voluminous control_rundll is within the environment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_hunt_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: This is a hunting detection, meant to provide a understanding of how voluminous control_rundll is within the environment. references: - https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html - https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/ @@ -51,8 +30,7 @@ tags: cve: - CVE-2021-40444 impact: 30 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk. + message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk. mitre_attack_id: - T1218 - T1218.011 @@ -94,7 +72,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml index 548585890d..b6f36085a1 100644 --- a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml +++ b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml @@ -21,12 +21,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml - https://redcanary.com/blog/intelligence-insights-december-2021/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml b/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml index bde708cfd0..ad4ebdb94f 100644 --- a/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml +++ b/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://www.joesandbox.com/analysis/380662/0/html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/rundll32_createremotethread_in_browser.yml b/detections/endpoint/rundll32_createremotethread_in_browser.yml index 0d678dfd0f..a875e57d85 100644 --- a/detections/endpoint/rundll32_createremotethread_in_browser.yml +++ b/detections/endpoint/rundll32_createremotethread_in_browser.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://www.joesandbox.com/analysis/380662/0/html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/rundll32_dnsquery.yml b/detections/endpoint/rundll32_dnsquery.yml index ba58894f31..6f95860d9b 100644 --- a/detections/endpoint/rundll32_dnsquery.yml +++ b/detections/endpoint/rundll32_dnsquery.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://any.run/malware-trends/icedid drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/rundll32_lockworkstation.yml b/detections/endpoint/rundll32_lockworkstation.yml index 83914585a9..e2423a8179 100644 --- a/detections/endpoint/rundll32_lockworkstation.yml +++ b/detections/endpoint/rundll32_lockworkstation.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://threadreaderapp.com/thread/1423361119926816776.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml index 376f37e2d6..d5ec57090b 100644 --- a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml +++ b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://any.run/malware-trends/icedid drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/rundll32_shimcache_flush.yml b/detections/endpoint/rundll32_shimcache_flush.yml index b7244e5042..6baad9987a 100644 --- a/detections/endpoint/rundll32_shimcache_flush.yml +++ b/detections/endpoint/rundll32_shimcache_flush.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://blueteamops.medium.com/shimcache-flush-89daff28d15e drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml index 01648d1456..820ae0f7cf 100644 --- a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml @@ -17,12 +17,12 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Rundll32/ - https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/rundll_loading_dll_by_ordinal.yml b/detections/endpoint/rundll_loading_dll_by_ordinal.yml index 8c71a2919e..2a4500700d 100644 --- a/detections/endpoint/rundll_loading_dll_by_ordinal.yml +++ b/detections/endpoint/rundll_loading_dll_by_ordinal.yml @@ -18,12 +18,12 @@ references: - https://twitter.com/M_haggis/status/1491109262428635136 - https://twitter.com/pr0xylife/status/1590394227758104576 drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/ryuk_test_files_detected.yml b/detections/endpoint/ryuk_test_files_detected.yml index 40b401e09a..70be8a8a3a 100644 --- a/detections/endpoint/ryuk_test_files_detected.yml +++ b/detections/endpoint/ryuk_test_files_detected.yml @@ -13,12 +13,12 @@ how_to_implement: You must be ingesting data that records the filesystem activit known_false_positives: If there are files with this keywoord as file names it might trigger false possitives, please make use of our filters to tune out potential FPs. references: [] drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/ryuk_wake_on_lan_command.yml b/detections/endpoint/ryuk_wake_on_lan_command.yml index 9abf2c2a2d..0f3c1cc637 100644 --- a/detections/endpoint/ryuk_wake_on_lan_command.yml +++ b/detections/endpoint/ryuk_wake_on_lan_command.yml @@ -18,12 +18,12 @@ references: - https://www.bleepingcomputer.com/news/security/ryuk-ransomware-now-self-spreads-to-other-windows-lan-devices/ - https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/sam_database_file_access_attempt.yml b/detections/endpoint/sam_database_file_access_attempt.yml index dc79624645..2bf193709e 100644 --- a/detections/endpoint/sam_database_file_access_attempt.yml +++ b/detections/endpoint/sam_database_file_access_attempt.yml @@ -5,26 +5,12 @@ date: '2024-10-17' author: Michael Haag, Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects attempts to access the SAM, SYSTEM, or - SECURITY database files within the `windows\system32\config` directory using Windows - Security EventCode 4663. This detection leverages Windows Security Event logs to - identify unauthorized access attempts. Monitoring this activity is crucial as it - indicates potential credential access attempts, possibly exploiting vulnerabilities - like CVE-2021-36934. If confirmed malicious, an attacker could extract user passwords, - leading to unauthorized access, privilege escalation, and further compromise of - the system. +description: The following analytic detects attempts to access the SAM, SYSTEM, or SECURITY database files within the `windows\system32\config` directory using Windows Security EventCode 4663. This detection leverages Windows Security Event logs to identify unauthorized access attempts. Monitoring this activity is crucial as it indicates potential credential access attempts, possibly exploiting vulnerabilities like CVE-2021-36934. If confirmed malicious, an attacker could extract user passwords, leading to unauthorized access, privilege escalation, and further compromise of the system. data_source: - Windows Event Log Security 4663 -search: '`wineventlog_security` (EventCode=4663) ProcessName!=*\\dllhost.exe ObjectName - IN ("*\\Windows\\System32\\config\\SAM*","*\\Windows\\System32\\config\\SYSTEM*","*\\Windows\\System32\\config\\SECURITY*") - | stats values(AccessList) count by ProcessName ObjectName dest src_user | rename - ProcessName as process_name | `sam_database_file_access_attempt_filter`' -how_to_implement: To successfully implement this search, you must ingest Windows Security - Event logs and track event code 4663. For 4663, enable "Audit Object Access" in - Group Policy. Then check the two boxes listed for both "Success" and "Failure." -known_false_positives: Natively, `dllhost.exe` will access the files. Every environment - will have additional native processes that do as well. Filter by process_name. As - an aside, one can remove process_name entirely and add `Object_Name=*ShadowCopy*`. +search: '`wineventlog_security` (EventCode=4663) ProcessName!=*\\dllhost.exe ObjectName IN ("*\\Windows\\System32\\config\\SAM*","*\\Windows\\System32\\config\\SYSTEM*","*\\Windows\\System32\\config\\SECURITY*") | stats values(AccessList) count by ProcessName ObjectName dest src_user | rename ProcessName as process_name | `sam_database_file_access_attempt_filter`' +how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." +known_false_positives: Natively, `dllhost.exe` will access the files. Every environment will have additional native processes that do as well. Filter by process_name. As an aside, one can remove process_name entirely and add `Object_Name=*ShadowCopy*`. references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4663 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663 @@ -42,8 +28,7 @@ tags: cve: - CVE-2021-36934 impact: 80 - message: The following process $process_name$ accessed the object $ObjectName$ attempting - to gain access to credentials on $dest$ by user $src_user$. + message: The following process $process_name$ accessed the object $ObjectName$ attempting to gain access to credentials on $dest$ by user $src_user$. mitre_attack_id: - T1003.002 - T1003 @@ -79,7 +64,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/serioussam/windows-xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/serioussam/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/samsam_test_file_write.yml b/detections/endpoint/samsam_test_file_write.yml index 9310ee0dde..94555cc112 100644 --- a/detections/endpoint/samsam_test_file_write.yml +++ b/detections/endpoint/samsam_test_file_write.yml @@ -13,12 +13,12 @@ how_to_implement: You must be ingesting data that records the file-system activi known_false_positives: No false positives have been identified. references: [] drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/sc_exe_manipulating_windows_services.yml b/detections/endpoint/sc_exe_manipulating_windows_services.yml index b11233c6b2..9a822462fe 100644 --- a/detections/endpoint/sc_exe_manipulating_windows_services.yml +++ b/detections/endpoint/sc_exe_manipulating_windows_services.yml @@ -16,12 +16,12 @@ known_false_positives: Using sc.exe to manipulate Windows services is uncommon. references: - https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml index bae5a3b8ea..3cdb058f4c 100644 --- a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml +++ b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml @@ -15,12 +15,12 @@ references: - https://docs.microsoft.com/en-us/windows/win32/adsi/adsi-and-uac - https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/schedule_task_with_http_command_arguments.yml b/detections/endpoint/schedule_task_with_http_command_arguments.yml index 49402a0f87..f979ced7cb 100644 --- a/detections/endpoint/schedule_task_with_http_command_arguments.yml +++ b/detections/endpoint/schedule_task_with_http_command_arguments.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://app.any.run/tasks/92d7ef61-bfd7-4c92-bc15-322172b4ebec/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml index 4339501bb3..2b7b0c1245 100644 --- a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml +++ b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml @@ -15,12 +15,12 @@ references: - https://labs.vipre.com/trickbot-and-its-modules/ - https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml index e77e82a31f..eb699569bc 100644 --- a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml +++ b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml @@ -17,12 +17,12 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/at - https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob?redirectedfrom=MSDN drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index 66c780eca9..745b9c6de1 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -17,12 +17,12 @@ references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ - https://www.joesandbox.com/analysis/691823/0/html drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml index 663ca4f571..c65cb62562 100644 --- a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml @@ -17,12 +17,12 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks - https://attack.mitre.org/techniques/T1053/005/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/schtasks_run_task_on_demand.yml b/detections/endpoint/schtasks_run_task_on_demand.yml index 6bd4fdcfd7..888e79c42c 100644 --- a/detections/endpoint/schtasks_run_task_on_demand.yml +++ b/detections/endpoint/schtasks_run_task_on_demand.yml @@ -16,12 +16,12 @@ known_false_positives: Bear in mind, administrators debugging Scheduled Task ent references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml index 6272dabccf..47ab8fc62f 100644 --- a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml +++ b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml @@ -15,12 +15,12 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: While it is possible to have false positives, due to legitimate administrative tasks, these are usually limited and should still be validated and investigated as appropriate. references: [] drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml index 273106d73d..39ca99671a 100644 --- a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml +++ b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml @@ -15,12 +15,12 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: This analytic may also capture legitimate administrative activities such as system updates or maintenance tasks, which can be classified as false positives. Filter as needed. references: [] drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/screensaver_event_trigger_execution.yml b/detections/endpoint/screensaver_event_trigger_execution.yml index 3430a91aa8..4d5ce36a7c 100644 --- a/detections/endpoint/screensaver_event_trigger_execution.yml +++ b/detections/endpoint/screensaver_event_trigger_execution.yml @@ -16,12 +16,12 @@ references: - https://attack.mitre.org/techniques/T1546/002/ - https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/screensaver drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/script_execution_via_wmi.yml b/detections/endpoint/script_execution_via_wmi.yml index ff49c2aada..c424461676 100644 --- a/detections/endpoint/script_execution_via_wmi.yml +++ b/detections/endpoint/script_execution_via_wmi.yml @@ -16,12 +16,12 @@ known_false_positives: Although unlikely, administrators may use wmi to launch s references: - https://redcanary.com/blog/child-processes/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/sdclt_uac_bypass.yml b/detections/endpoint/sdclt_uac_bypass.yml index a9617a4824..81a0297a91 100644 --- a/detections/endpoint/sdclt_uac_bypass.yml +++ b/detections/endpoint/sdclt_uac_bypass.yml @@ -20,12 +20,12 @@ references: - https://github.com/hfiref0x/UACME - https://www.cyborgsecurity.com/cyborg-labs/threat-hunt-deep-dives-user-account-control-bypass-via-registry-modification/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/sdelete_application_execution.yml b/detections/endpoint/sdelete_application_execution.yml index 02d3df6b20..b29026f448 100644 --- a/detections/endpoint/sdelete_application_execution.yml +++ b/detections/endpoint/sdelete_application_execution.yml @@ -16,12 +16,12 @@ known_false_positives: user may execute and use this application references: - https://app.any.run/tasks/956f50be-2c13-465a-ac00-6224c14c5f89/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml index 6b83489674..aba78e4139 100644 --- a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml +++ b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml @@ -14,12 +14,12 @@ known_false_positives: Limited false positives may be present in small environme references: - https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/SUSPICIOUS%20EXECUTION%20OF%20SEARCHPROTOCOLHOST%20(METHODOLOGY).ioc drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml index 1ea54c26b6..56ebe07973 100644 --- a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml +++ b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml b/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml index 27d5bccf97..2faa1944a3 100644 --- a/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml +++ b/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml @@ -27,12 +27,12 @@ references: - https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml index e734dbb0df..4cffa16ce6 100644 --- a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml +++ b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml @@ -24,12 +24,12 @@ references: - https://msitpros.com/?p=3113 - https://adsecurity.org/?p=3466 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/services_escalate_exe.yml b/detections/endpoint/services_escalate_exe.yml index 0789719e17..536e2628e4 100644 --- a/detections/endpoint/services_escalate_exe.yml +++ b/detections/endpoint/services_escalate_exe.yml @@ -18,12 +18,12 @@ references: - https://attack.mitre.org/techniques/T1548/ - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1085 drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/services_lolbas_execution_process_spawn.yml b/detections/endpoint/services_lolbas_execution_process_spawn.yml index bd2d112494..f406f3302b 100644 --- a/detections/endpoint/services_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/services_lolbas_execution_process_spawn.yml @@ -18,12 +18,12 @@ references: - https://pentestlab.blog/2020/07/21/lateral-movement-services/ - https://lolbas-project.github.io/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml index 0da48122ab..a17b13b7df 100644 --- a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml +++ b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml @@ -17,12 +17,12 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: Administrators may attempt to change the default execution policy on a system for a variety of reasons. However, setting the policy to "unrestricted" or "bypass" as this search is designed to identify, would be unusual. Hits should be reviewed and investigated as appropriate. references: [] drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/shim_database_file_creation.yml b/detections/endpoint/shim_database_file_creation.yml index a65aaa46ab..1c467680e9 100644 --- a/detections/endpoint/shim_database_file_creation.yml +++ b/detections/endpoint/shim_database_file_creation.yml @@ -13,12 +13,12 @@ how_to_implement: You must be ingesting data that records the filesystem activit known_false_positives: Because legitimate shim files are created and used all the time, this event, in itself, is not suspicious. However, if there are other correlating events, it may warrant further investigation. references: [] drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml index cb223e4f7b..985144d2bd 100644 --- a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml +++ b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml @@ -15,12 +15,12 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: None identified references: [] drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/short_lived_scheduled_task.yml b/detections/endpoint/short_lived_scheduled_task.yml index 060654c31c..21a8916599 100644 --- a/detections/endpoint/short_lived_scheduled_task.yml +++ b/detections/endpoint/short_lived_scheduled_task.yml @@ -16,12 +16,12 @@ references: - https://attack.mitre.org/techniques/T1053/005/ - https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/short_lived_windows_accounts.yml b/detections/endpoint/short_lived_windows_accounts.yml index 04c3b3f3ec..255c0e4bee 100644 --- a/detections/endpoint/short_lived_windows_accounts.yml +++ b/detections/endpoint/short_lived_windows_accounts.yml @@ -14,12 +14,12 @@ how_to_implement: 'This search requires you to have enabled your Group Managemen known_false_positives: It is possible that an administrator created and deleted an account in a short time period. Verifying activity with an administrator is advised. references: [] drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/silentcleanup_uac_bypass.yml b/detections/endpoint/silentcleanup_uac_bypass.yml index fe4694e7c2..d58a0b9776 100644 --- a/detections/endpoint/silentcleanup_uac_bypass.yml +++ b/detections/endpoint/silentcleanup_uac_bypass.yml @@ -19,12 +19,12 @@ references: - https://github.com/hfiref0x/UACME - https://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/single_letter_process_on_endpoint.yml b/detections/endpoint/single_letter_process_on_endpoint.yml index d46cfccc9e..780a4fae48 100644 --- a/detections/endpoint/single_letter_process_on_endpoint.yml +++ b/detections/endpoint/single_letter_process_on_endpoint.yml @@ -15,12 +15,12 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: Single-letter executables are not always malicious. Investigate this activity with your normal incident-response process. references: [] drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/slui_runas_elevated.yml b/detections/endpoint/slui_runas_elevated.yml index 8b5ad9f5d5..f39e96c958 100644 --- a/detections/endpoint/slui_runas_elevated.yml +++ b/detections/endpoint/slui_runas_elevated.yml @@ -20,12 +20,12 @@ references: - https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/ - https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/slui_spawning_a_process.yml b/detections/endpoint/slui_spawning_a_process.yml index 9551b471c6..55c1b67c27 100644 --- a/detections/endpoint/slui_spawning_a_process.yml +++ b/detections/endpoint/slui_spawning_a_process.yml @@ -18,12 +18,12 @@ references: - https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/ - https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/spike_in_file_writes.yml b/detections/endpoint/spike_in_file_writes.yml index 85342b7653..0c4a0d86d3 100644 --- a/detections/endpoint/spike_in_file_writes.yml +++ b/detections/endpoint/spike_in_file_writes.yml @@ -5,30 +5,12 @@ date: '2024-10-17' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects a sharp increase in the number of files - written to a specific host. It leverages the Endpoint.Filesystem data model, focusing - on 'created' actions and comparing current file write counts against historical - averages and standard deviations. This activity is significant as a sudden spike - in file writes can indicate malicious activities such as ransomware encryption or - data exfiltration. If confirmed malicious, this behavior could lead to significant - data loss, system compromise, or further propagation of malware within the network. +description: The following analytic detects a sharp increase in the number of files written to a specific host. It leverages the Endpoint.Filesystem data model, focusing on 'created' actions and comparing current file write counts against historical averages and standard deviations. This activity is significant as a sudden spike in file writes can indicate malicious activities such as ransomware encryption or data exfiltration. If confirmed malicious, this behavior could lead to significant data loss, system compromise, or further propagation of malware within the network. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem - where Filesystem.action=created by _time span=1h, Filesystem.dest | `drop_dm_object_name(Filesystem)` - | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time - >= relative_time(maxtime, "-1d@d"), count, null))) as "count" avg(eval(if(_time upperBound) AND num_data_samples >=20, 1, 0) | search isOutlier=1 | `spike_in_file_writes_filter`' -how_to_implement: In order to implement this search, you must populate the Endpoint - file-system data model node. This is typically populated via endpoint detection - and response product, such as Carbon Black or endpoint data sources such as Sysmon. - The data used for this search is typically generated via logs that report reads - and writes to the file system. -known_false_positives: It is important to understand that if you happen to install - any new applications on your hosts or are copying a large number of files, you can - expect to see a large increase of file modifications. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.action=created by _time span=1h, Filesystem.dest | `drop_dm_object_name(Filesystem)` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, "-1d@d"), count, null))) as "count" avg(eval(if(_time upperBound) AND num_data_samples >=20, 1, 0) | search isOutlier=1 | `spike_in_file_writes_filter`' +how_to_implement: In order to implement this search, you must populate the Endpoint file-system data model node. This is typically populated via endpoint detection and response product, such as Carbon Black or endpoint data sources such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the file system. +known_false_positives: It is important to understand that if you happen to install any new applications on your hosts or are copying a large number of files, you can expect to see a large increase of file modifications. references: [] tags: analytic_story: diff --git a/detections/endpoint/spoolsv_spawning_rundll32.yml b/detections/endpoint/spoolsv_spawning_rundll32.yml index bda126d0f2..b72bc01c9c 100644 --- a/detections/endpoint/spoolsv_spawning_rundll32.yml +++ b/detections/endpoint/spoolsv_spawning_rundll32.yml @@ -18,12 +18,12 @@ references: - https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675 - https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/spoolsv_suspicious_loaded_modules.yml b/detections/endpoint/spoolsv_suspicious_loaded_modules.yml index b1808c1a7e..996aef7d4c 100644 --- a/detections/endpoint/spoolsv_suspicious_loaded_modules.yml +++ b/detections/endpoint/spoolsv_suspicious_loaded_modules.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://raw.githubusercontent.com/hieuttmmo/sigma/dceb13fe3f1821b119ae495b41e24438bd97e3d0/rules/windows/image_load/sysmon_cve_2021_1675_print_nightmare.yml drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/spoolsv_suspicious_process_access.yml b/detections/endpoint/spoolsv_suspicious_process_access.yml index 72bb935065..b3ade394c1 100644 --- a/detections/endpoint/spoolsv_suspicious_process_access.yml +++ b/detections/endpoint/spoolsv_suspicious_process_access.yml @@ -17,12 +17,12 @@ references: - https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675 - https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/spoolsv_writing_a_dll.yml b/detections/endpoint/spoolsv_writing_a_dll.yml index 23f912b0bd..ea892a81f0 100644 --- a/detections/endpoint/spoolsv_writing_a_dll.yml +++ b/detections/endpoint/spoolsv_writing_a_dll.yml @@ -19,12 +19,12 @@ references: - https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675 - https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml b/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml index 8827c9028c..27bade6322 100644 --- a/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml +++ b/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml @@ -17,12 +17,12 @@ references: - https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675 - https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/sqlite_module_in_temp_folder.yml b/detections/endpoint/sqlite_module_in_temp_folder.yml index 8282bb458d..ae93356e72 100644 --- a/detections/endpoint/sqlite_module_in_temp_folder.yml +++ b/detections/endpoint/sqlite_module_in_temp_folder.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://www.cisecurity.org/insights/white-papers/security-primer-icedid drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml b/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml index 418977dcdf..a49f8ebc41 100644 --- a/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml +++ b/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml @@ -14,12 +14,12 @@ references: - https://research.splunk.com/stories/windows_certificate_services/ - https://attack.mitre.org/techniques/T1649/ drilldown_searches: -- name: View the detection results for $risk_object$ - search: '%original_detection_search% | search risk_object = $risk_object$' +- name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $risk_object$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($risk_object$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/sunburst_correlation_dll_and_network_event.yml b/detections/endpoint/sunburst_correlation_dll_and_network_event.yml index 0dadd515aa..62b7121d16 100644 --- a/detections/endpoint/sunburst_correlation_dll_and_network_event.yml +++ b/detections/endpoint/sunburst_correlation_dll_and_network_event.yml @@ -5,26 +5,12 @@ date: '2024-10-17' author: Patrick Bareiss, Splunk status: experimental type: TTP -description: The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll - by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. - It uses Sysmon EventID 7 for DLL loading and Event ID 22 for DNS queries, correlating - these events within a 12-14 day period. This activity is significant as it indicates - potential Sunburst malware infection, a known supply chain attack. If confirmed - malicious, this could lead to unauthorized network access, data exfiltration, and - further compromise of the affected systems. +description: The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. It uses Sysmon EventID 7 for DLL loading and Event ID 22 for DNS queries, correlating these events within a 12-14 day period. This activity is significant as it indicates potential Sunburst malware infection, a known supply chain attack. If confirmed malicious, this could lead to unauthorized network access, data exfiltration, and further compromise of the affected systems. data_source: - Sysmon EventID 7 - Sysmon EventID 22 -search: '(`sysmon` EventCode=7 ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer.dll) - OR (`sysmon` EventCode=22 QueryName=*avsvmcloud.com) | eventstats dc(EventCode) - AS dc_events | where dc_events=2 | stats min(_time) as firstTime max(_time) as lastTime - values(ImageLoaded) AS ImageLoaded values(QueryName) AS QueryName by host | rename - host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `sunburst_correlation_dll_and_network_event_filter`' -how_to_implement: This detection relies on sysmon logs with the Event ID 7, Driver - loaded. Please tune your sysmon config that you DriverLoad event for SolarWinds.Orion.Core.BusinessLayer.dll - is captured by Sysmon. Additionally, you need sysmon logs for Event ID 22, DNS Query. - We suggest to run this detection at least once a day over the last 14 days. +search: (`sysmon` EventCode=7 ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer.dll) OR (`sysmon` EventCode=22 QueryName=*avsvmcloud.com) | eventstats dc(EventCode) AS dc_events | where dc_events=2 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) AS ImageLoaded values(QueryName) AS QueryName by host | rename host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `sunburst_correlation_dll_and_network_event_filter` +how_to_implement: This detection relies on sysmon logs with the Event ID 7, Driver loaded. Please tune your sysmon config that you DriverLoad event for SolarWinds.Orion.Core.BusinessLayer.dll is captured by Sysmon. Additionally, you need sysmon logs for Event ID 22, DNS Query. We suggest to run this detection at least once a day over the last 14 days. known_false_positives: unknown references: - https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor diff --git a/detections/endpoint/suspicious_computer_account_name_change.yml b/detections/endpoint/suspicious_computer_account_name_change.yml index f9e4fff375..792202ed3d 100644 --- a/detections/endpoint/suspicious_computer_account_name_change.yml +++ b/detections/endpoint/suspicious_computer_account_name_change.yml @@ -16,12 +16,12 @@ references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287 drilldown_searches: -- name: View the detection results for $dest$ and $OldTargetUserName$ - search: '%original_detection_search% | search dest = $dest$ OldTargetUserName = $OldTargetUserName$' +- name: View the detection results for - "$dest$" and "$OldTargetUserName$" + search: '%original_detection_search% | search dest = "$dest$" OldTargetUserName = "$OldTargetUserName$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $OldTargetUserName$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $OldTargetUserName$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$OldTargetUserName$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$OldTargetUserName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_copy_on_system32.yml b/detections/endpoint/suspicious_copy_on_system32.yml index 835839594b..41696465f4 100644 --- a/detections/endpoint/suspicious_copy_on_system32.yml +++ b/detections/endpoint/suspicious_copy_on_system32.yml @@ -17,12 +17,12 @@ references: - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120 - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_curl_network_connection.yml b/detections/endpoint/suspicious_curl_network_connection.yml index a78782b205..0e42418e42 100644 --- a/detections/endpoint/suspicious_curl_network_connection.yml +++ b/detections/endpoint/suspicious_curl_network_connection.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Michael Haag, Splunk status: experimental type: TTP -description: The following analytic detects the use of the curl command contacting - suspicious remote domains, such as s3.amazonaws.com, which is indicative of Command - and Control (C2) activity or downloading further implants. This detection leverages - data from Endpoint Detection and Response (EDR) agents, focusing on process execution - logs and command-line arguments. This activity is significant as it may indicate - the presence of MacOS adware or other malicious software attempting to establish - persistence or exfiltrate data. If confirmed malicious, this could allow attackers - to maintain control over the compromised system and deploy additional payloads. +description: The following analytic detects the use of the curl command contacting suspicious remote domains, such as s3.amazonaws.com, which is indicative of Command and Control (C2) activity or downloading further implants. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate the presence of MacOS adware or other malicious software attempting to establish persistence or exfiltrate data. If confirmed malicious, this could allow attackers to maintain control over the compromised system and deploy additional payloads. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl - Processes.process=s3.amazonaws.com by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `suspicious_curl_network_connection_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process=s3.amazonaws.com by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_curl_network_connection_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Unknown. Filter as needed. references: - https://redcanary.com/blog/clipping-silver-sparrows-wings/ diff --git a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml index 3ba3a676c9..6bfd3a3bc5 100644 --- a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml @@ -17,12 +17,12 @@ references: - https://raw.githubusercontent.com/threatexpress/malleable-c2/c3385e481159a759f79b8acfe11acf240893b830/jquery-c2.4.2.profile - https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_driver_loaded_path.yml b/detections/endpoint/suspicious_driver_loaded_path.yml index 807c5605b8..67b8694b9a 100644 --- a/detections/endpoint/suspicious_driver_loaded_path.yml +++ b/detections/endpoint/suspicious_driver_loaded_path.yml @@ -15,12 +15,12 @@ references: - https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/ - https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_event_log_service_behavior.yml b/detections/endpoint/suspicious_event_log_service_behavior.yml index 7493b23b4e..142a4c048c 100644 --- a/detections/endpoint/suspicious_event_log_service_behavior.yml +++ b/detections/endpoint/suspicious_event_log_service_behavior.yml @@ -5,22 +5,12 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the shutdown of the Windows Event Log - service using Windows Event ID 1100. This event is logged every time the service - stops, including during normal system shutdowns. Monitoring this activity is crucial - as it can indicate attempts to cover tracks or disable logging. If confirmed malicious, - an attacker could hide their activities, making it difficult to trace their actions - and investigate further incidents. Analysts should verify if the shutdown was planned - and review other alerts and data sources for additional suspicious behavior. +description: The following analytic detects the shutdown of the Windows Event Log service using Windows Event ID 1100. This event is logged every time the service stops, including during normal system shutdowns. Monitoring this activity is crucial as it can indicate attempts to cover tracks or disable logging. If confirmed malicious, an attacker could hide their activities, making it difficult to trace their actions and investigate further incidents. Analysts should verify if the shutdown was planned and review other alerts and data sources for additional suspicious behavior. data_source: - Windows Event Log Security 1100 -search: '(`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime - max(_time) as lastTime by dest name EventCode | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `suspicious_event_log_service_behavior_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. -known_false_positives: It is possible the Event Logging service gets shut down due - to system errors or legitimately administration tasks. Filter as needed. +search: (`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest name EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_event_log_service_behavior_filter` +how_to_implement: To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. +known_false_positives: It is possible the Event Logging service gets shut down due to system errors or legitimately administration tasks. Filter as needed. references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1100 - https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads @@ -56,7 +46,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/suspicious_event_log_service_behavior/windows-xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/suspicious_event_log_service_behavior/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml index 8f93cfc5f8..ce5a0bcd3a 100644 --- a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml @@ -17,12 +17,12 @@ references: - https://raw.githubusercontent.com/xx0hcd/Malleable-C2-Profiles/0ef8cf4556e26f6d4190c56ba697c2159faa5822/crimeware/trick_ryuk.profile - https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml index 249d7bbdf5..b2b25965c3 100644 --- a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml +++ b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml @@ -16,12 +16,12 @@ known_false_positives: limitted. this parameter is not commonly used by windows references: - https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml index 87a99b4fd4..ac4cf766f8 100644 --- a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml +++ b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml @@ -15,12 +15,12 @@ references: - https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US - https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_kerberos_service_ticket_request.yml b/detections/endpoint/suspicious_kerberos_service_ticket_request.yml index b09b299c42..207c2423f6 100644 --- a/detections/endpoint/suspicious_kerberos_service_ticket_request.yml +++ b/detections/endpoint/suspicious_kerberos_service_ticket_request.yml @@ -17,12 +17,12 @@ references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287 - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/02636893-7a1f-4357-af9a-b672e3e3de13 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_linux_discovery_commands.yml b/detections/endpoint/suspicious_linux_discovery_commands.yml index 965ea20114..e608d0e559 100644 --- a/detections/endpoint/suspicious_linux_discovery_commands.yml +++ b/detections/endpoint/suspicious_linux_discovery_commands.yml @@ -20,12 +20,12 @@ references: - https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS - https://github.com/rebootuser/LinEnum drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml b/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml index b273042d22..c2e856034a 100644 --- a/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml +++ b/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml @@ -5,35 +5,14 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the renaming of microsoft.workflow.compiler.exe, - a rarely used executable typically located in C:\Windows\Microsoft.NET\Framework64\v4.0.30319. - This detection leverages Endpoint Detection and Response (EDR) data, focusing on - process names and original file names. This activity is significant because renaming - this executable can indicate an attempt to evade security controls. If confirmed - malicious, an attacker could use this renamed executable to execute arbitrary code, - potentially leading to privilege escalation or persistent access within the environment. +description: The following analytic detects the renaming of microsoft.workflow.compiler.exe, a rarely used executable typically located in C:\Windows\Microsoft.NET\Framework64\v4.0.30319. This detection leverages Endpoint Detection and Response (EDR) data, focusing on process names and original file names. This activity is significant because renaming this executable can indicate an attempt to evade security controls. If confirmed malicious, an attacker could use this renamed executable to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=microsoft.workflow.compiler.exe - AND Processes.original_file_name=Microsoft.Workflow.Compiler.exe by Processes.dest - Processes.user Processes.parent_process_name Processes.process_name Processes.process - Processes.process_id Processes.parent_process_id Processes.original_file_name | - `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `suspicious_microsoft_workflow_compiler_rename_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Although unlikely, some legitimate applications may use a moved - copy of microsoft.workflow.compiler.exe, triggering a false positive. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=microsoft.workflow.compiler.exe AND Processes.original_file_name=Microsoft.Workflow.Compiler.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_rename_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Although unlikely, some legitimate applications may use a moved copy of microsoft.workflow.compiler.exe, triggering a false positive. references: - https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-6---microsoftworkflowcompilerexe-payload-execution @@ -48,8 +27,7 @@ tags: asset_type: Endpoint confidence: 90 impact: 70 - message: Suspicious renamed microsoft.workflow.compiler.exe binary ran on $dest$ - by $user$ + message: Suspicious renamed microsoft.workflow.compiler.exe binary ran on $dest$ by $user$ mitre_attack_id: - T1036 - T1127 @@ -85,7 +63,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml index f1a42a324e..5bbac14901 100644 --- a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml +++ b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml @@ -17,12 +17,12 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Msbuild/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-6---microsoftworkflowcompilerexe-payload-execution drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_msbuild_path.yml b/detections/endpoint/suspicious_msbuild_path.yml index 5d622556e6..00e97a7d27 100644 --- a/detections/endpoint/suspicious_msbuild_path.yml +++ b/detections/endpoint/suspicious_msbuild_path.yml @@ -17,12 +17,12 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Msbuild/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_msbuild_rename.yml b/detections/endpoint/suspicious_msbuild_rename.yml index 4eedfa9641..4266d65578 100644 --- a/detections/endpoint/suspicious_msbuild_rename.yml +++ b/detections/endpoint/suspicious_msbuild_rename.yml @@ -5,35 +5,14 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the execution of renamed instances of - msbuild.exe. It leverages data from Endpoint Detection and Response (EDR) agents, - focusing on process names and original file names within the Endpoint data model. - This activity is significant because msbuild.exe is a legitimate tool often abused - by attackers to execute malicious code while evading detection. If confirmed malicious, - this behavior could allow an attacker to execute arbitrary code, potentially leading - to system compromise, data exfiltration, or further lateral movement within the - network. +description: The following analytic detects the execution of renamed instances of msbuild.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names within the Endpoint data model. This activity is significant because msbuild.exe is a legitimate tool often abused by attackers to execute malicious code while evading detection. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=msbuild.exe - AND Processes.original_file_name=MSBuild.exe by Processes.dest Processes.user Processes.parent_process_name - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `suspicious_msbuild_rename_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Although unlikely, some legitimate applications may use a moved - copy of msbuild, triggering a false positive. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=msbuild.exe AND Processes.original_file_name=MSBuild.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_rename_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Although unlikely, some legitimate applications may use a moved copy of msbuild, triggering a false positive. references: - https://lolbas-project.github.io/lolbas/Binaries/Msbuild/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md @@ -86,8 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/suspicious_msbuild_spawn.yml b/detections/endpoint/suspicious_msbuild_spawn.yml index cb924b1e84..c78f7366c5 100644 --- a/detections/endpoint/suspicious_msbuild_spawn.yml +++ b/detections/endpoint/suspicious_msbuild_spawn.yml @@ -17,12 +17,12 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Msbuild/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_mshta_child_process.yml b/detections/endpoint/suspicious_mshta_child_process.yml index aa72ee9e61..61f61ed6c4 100644 --- a/detections/endpoint/suspicious_mshta_child_process.yml +++ b/detections/endpoint/suspicious_mshta_child_process.yml @@ -17,12 +17,12 @@ references: - https://github.com/redcanaryco/AtomicTestHarnesses - https://redcanary.com/blog/introducing-atomictestharnesses/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_mshta_spawn.yml b/detections/endpoint/suspicious_mshta_spawn.yml index 88bdaf5890..b0aa56d27a 100644 --- a/detections/endpoint/suspicious_mshta_spawn.yml +++ b/detections/endpoint/suspicious_mshta_spawn.yml @@ -18,12 +18,12 @@ references: - https://github.com/redcanaryco/AtomicTestHarnesses - https://redcanary.com/blog/introducing-atomictestharnesses/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_plistbuddy_usage.yml b/detections/endpoint/suspicious_plistbuddy_usage.yml index cab8fe4f1f..7584612055 100644 --- a/detections/endpoint/suspicious_plistbuddy_usage.yml +++ b/detections/endpoint/suspicious_plistbuddy_usage.yml @@ -5,36 +5,14 @@ date: '2024-10-17' author: Michael Haag, Splunk status: experimental type: TTP -description: 'The following analytic identifies the use of the native macOS utility, - PlistBuddy, to create or modify property list (.plist) files. This detection leverages - data from Endpoint Detection and Response (EDR) agents, focusing on process names - and command-line executions involving PlistBuddy. This activity is significant because - PlistBuddy can be used to establish persistence by modifying LaunchAgents, as seen - in the Silver Sparrow malware. If confirmed malicious, this could allow an attacker - to maintain persistence, execute arbitrary commands, and potentially escalate privileges - on the compromised macOS system.' +description: The following analytic identifies the use of the native macOS utility, PlistBuddy, to create or modify property list (.plist) files. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions involving PlistBuddy. This activity is significant because PlistBuddy can be used to establish persistence by modifying LaunchAgents, as seen in the Silver Sparrow malware. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, and potentially escalate privileges on the compromised macOS system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name=PlistBuddy - (Processes.process=*LaunchAgents* OR Processes.process=*RunAtLoad* OR Processes.process=*true*) - by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_plistbuddy_usage_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Some legitimate applications may use PlistBuddy to create or - modify property lists and possibly generate false positives. Review the property - list being modified or created to confirm. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=PlistBuddy (Processes.process=*LaunchAgents* OR Processes.process=*RunAtLoad* OR Processes.process=*true*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_plistbuddy_usage_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm. references: - https://www.marcosantadev.com/manage-plist-files-plistbuddy/ tags: diff --git a/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml b/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml index b25adcb64d..b236e4924a 100644 --- a/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml +++ b/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml @@ -5,23 +5,11 @@ date: '2024-10-17' author: Michael Haag, Splunk status: experimental type: TTP -description: 'The following analytic detects the use of the PlistBuddy utility on - macOS to create or modify property list (.plist) files. It leverages OSQuery to - monitor process events, specifically looking for commands that interact with LaunchAgents - and set properties like RunAtLoad. This activity is significant because PlistBuddy - can be used to establish persistence mechanisms, as seen in malware like Silver - Sparrow. If confirmed malicious, this could allow an attacker to maintain persistence, - execute arbitrary commands, and potentially escalate privileges on the compromised - system.' +description: The following analytic detects the use of the PlistBuddy utility on macOS to create or modify property list (.plist) files. It leverages OSQuery to monitor process events, specifically looking for commands that interact with LaunchAgents and set properties like RunAtLoad. This activity is significant because PlistBuddy can be used to establish persistence mechanisms, as seen in malware like Silver Sparrow. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, and potentially escalate privileges on the compromised system. data_source: [] -search: '`osquery_process` "columns.cmdline"="*LaunchAgents*" OR "columns.cmdline"="*RunAtLoad*" - OR "columns.cmdline"="*true*" | `suspicious_plistbuddy_usage_via_osquery_filter`' -how_to_implement: OSQuery must be installed and configured to pick up process events - (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. - Modify the macro and validate fields are correct. -known_false_positives: Some legitimate applications may use PlistBuddy to create or - modify property lists and possibly generate false positives. Review the property - list being modified or created to confirm. +search: '`osquery_process` "columns.cmdline"="*LaunchAgents*" OR "columns.cmdline"="*RunAtLoad*" OR "columns.cmdline"="*true*" | `suspicious_plistbuddy_usage_via_osquery_filter`' +how_to_implement: OSQuery must be installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. Modify the macro and validate fields are correct. +known_false_positives: Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm. references: - https://www.marcosantadev.com/manage-plist-files-plistbuddy/ tags: diff --git a/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml b/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml index b3d9db30a0..3ed272729f 100644 --- a/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml +++ b/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml @@ -15,12 +15,12 @@ references: - https://urlhaus.abuse.ch/url/1798923/ - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_process_executed_from_container_file.yml b/detections/endpoint/suspicious_process_executed_from_container_file.yml index 48d0338791..cd062ee8a4 100644 --- a/detections/endpoint/suspicious_process_executed_from_container_file.yml +++ b/detections/endpoint/suspicious_process_executed_from_container_file.yml @@ -18,12 +18,12 @@ references: - https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/ - https://attack.mitre.org/techniques/T1204/002/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_process_file_path.yml b/detections/endpoint/suspicious_process_file_path.yml index 2b6c71f919..6dd1b7cdf0 100644 --- a/detections/endpoint/suspicious_process_file_path.yml +++ b/detections/endpoint/suspicious_process_file_path.yml @@ -20,12 +20,12 @@ references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_process_with_discord_dns_query.yml b/detections/endpoint/suspicious_process_with_discord_dns_query.yml index 340a8003ce..a84295c241 100644 --- a/detections/endpoint/suspicious_process_with_discord_dns_query.yml +++ b/detections/endpoint/suspicious_process_with_discord_dns_query.yml @@ -16,12 +16,12 @@ references: - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3 - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_reg_exe_process.yml b/detections/endpoint/suspicious_reg_exe_process.yml index 9b52fbdcfd..8896ff6c18 100644 --- a/detections/endpoint/suspicious_reg_exe_process.yml +++ b/detections/endpoint/suspicious_reg_exe_process.yml @@ -16,12 +16,12 @@ known_false_positives: It's possible for system administrators to write scripts references: - https://car.mitre.org/wiki/CAR-2013-03-001/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml index 7da84f06c4..761341a9fe 100644 --- a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml +++ b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml @@ -20,12 +20,12 @@ references: - https://support.microsoft.com/en-us/topic/how-to-use-the-regsvr32-tool-and-troubleshoot-regsvr32-error-messages-a98d960a-7392-e6fe-d90a-3f4e0cb543e5 - https://any.run/report/f29a7d2ecd3585e1e4208e44bcc7156ab5388725f1d29d03e7699da0d4598e7c/0826458b-5367-45cf-b841-c95a33a01718 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml index 59eab8771d..bdc96d88d3 100644 --- a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml +++ b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml @@ -22,12 +22,12 @@ references: - https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/ - https://docs.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver?redirectedfrom=MSDN drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml index df89f5fb62..4e20ffac7f 100644 --- a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml @@ -19,12 +19,12 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Rundll32/ - https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_rundll32_plugininit.yml b/detections/endpoint/suspicious_rundll32_plugininit.yml index 61bcffcd1e..80f12c6f0b 100644 --- a/detections/endpoint/suspicious_rundll32_plugininit.yml +++ b/detections/endpoint/suspicious_rundll32_plugininit.yml @@ -16,12 +16,12 @@ known_false_positives: third party application may used this dll export name to references: - https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_rundll32_startw.yml b/detections/endpoint/suspicious_rundll32_startw.yml index 5d0afd2f7c..8dbb686b56 100644 --- a/detections/endpoint/suspicious_rundll32_startw.yml +++ b/detections/endpoint/suspicious_rundll32_startw.yml @@ -20,12 +20,12 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Rundll32/ - https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index 3d9026321b..e39a3b9b00 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -16,12 +16,12 @@ known_false_positives: The main source of false positives could be the legitimat references: - https://attack.mitre.org/techniques/T1053/005/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml index 9aa6c15145..95532cc1ad 100644 --- a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml @@ -16,12 +16,12 @@ known_false_positives: Limited false positives may be present in small environme references: - https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/SUSPICIOUS%20EXECUTION%20OF%20SEARCHPROTOCOLHOST%20(METHODOLOGY).ioc drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml b/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml index 7855faa8e1..935d91db0d 100644 --- a/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml +++ b/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Michael Haag, Splunk status: experimental type: TTP -description: The following analytic identifies the use of SQLite3 querying the MacOS - preferences to determine the original URL from which a package was downloaded. This - detection leverages data from Endpoint Detection and Response (EDR) agents, focusing - on process names and command-line executions involving LSQuarantine. This activity - is significant as it is commonly associated with MacOS adware and other malicious - software. If confirmed malicious, this behavior could indicate an attempt to track - or manipulate downloaded packages, potentially leading to further system compromise - or persistent adware infections. +description: The following analytic identifies the use of SQLite3 querying the MacOS preferences to determine the original URL from which a package was downloaded. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions involving LSQuarantine. This activity is significant as it is commonly associated with MacOS adware and other malicious software. If confirmed malicious, this behavior could indicate an attempt to track or manipulate downloaded packages, potentially leading to further system compromise or persistent adware infections. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sqlite3 - Processes.process=*LSQuarantine* by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `suspicious_sqlite3_lsquarantine_behavior_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sqlite3 Processes.process=*LSQuarantine* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_sqlite3_lsquarantine_behavior_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Unknown. references: - https://redcanary.com/blog/clipping-silver-sparrows-wings/ diff --git a/detections/endpoint/suspicious_ticket_granting_ticket_request.yml b/detections/endpoint/suspicious_ticket_granting_ticket_request.yml index 97c179d216..345f652f7d 100644 --- a/detections/endpoint/suspicious_ticket_granting_ticket_request.yml +++ b/detections/endpoint/suspicious_ticket_granting_ticket_request.yml @@ -5,29 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects suspicious Kerberos Ticket Granting Ticket - (TGT) requests that may indicate exploitation of CVE-2021-42278 and CVE-2021-42287. - It leverages Event ID 4781 (account name change) and Event ID 4768 (TGT request) - to identify sequences where a newly renamed computer account requests a TGT. This - behavior is significant as it could represent an attempt to escalate privileges - by impersonating a Domain Controller. If confirmed malicious, this activity could - allow attackers to gain elevated access and potentially control over the domain - environment. +description: The following analytic detects suspicious Kerberos Ticket Granting Ticket (TGT) requests that may indicate exploitation of CVE-2021-42278 and CVE-2021-42287. It leverages Event ID 4781 (account name change) and Event ID 4768 (TGT request) to identify sequences where a newly renamed computer account requests a TGT. This behavior is significant as it could represent an attempt to escalate privileges by impersonating a Domain Controller. If confirmed malicious, this activity could allow attackers to gain elevated access and potentially control over the domain environment. data_source: - Windows Event Log Security 4768 - Windows Event Log Security 4781 -search: '`wineventlog_security` (EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$") - OR (EventCode=4768 TargetUserName!="*$") | eval RenamedComputerAccount = coalesce(NewTargetUserName, - TargetUserName) | transaction RenamedComputerAccount startswith=(EventCode=4781) - endswith=(EventCode=4768) | eval short_lived=case((duration<2),"TRUE") | search - short_lived = TRUE | table _time, Computer, EventCode, TargetUserName, RenamedComputerAccount, - short_lived | rename Computer as dest | `suspicious_ticket_granting_ticket_request_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - Domain Controller and Kerberos events. The Advanced Security Audit policy setting - `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -known_false_positives: A computer account name change event inmediately followed by - a kerberos TGT request with matching fields is unsual. However, legitimate behavior - may trigger it. Filter as needed. +search: '`wineventlog_security` (EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$") OR (EventCode=4768 TargetUserName!="*$") | eval RenamedComputerAccount = coalesce(NewTargetUserName, TargetUserName) | transaction RenamedComputerAccount startswith=(EventCode=4781) endswith=(EventCode=4768) | eval short_lived=case((duration<2),"TRUE") | search short_lived = TRUE | table _time, Computer, EventCode, TargetUserName, RenamedComputerAccount, short_lived | rename Computer as dest | `suspicious_ticket_granting_ticket_request_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. +known_false_positives: A computer account name change event inmediately followed by a kerberos TGT request with matching fields is unsual. However, legitimate behavior may trigger it. Filter as needed. references: - https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278 @@ -65,7 +49,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/suspicious_ticket_granting_ticket_request/windows-xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/suspicious_ticket_granting_ticket_request/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml index 69b3e91a3e..ef8c54d576 100644 --- a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml +++ b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml @@ -18,12 +18,12 @@ references: - https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US - https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_wevtutil_usage.yml b/detections/endpoint/suspicious_wevtutil_usage.yml index c7b5fd5fa6..2aa3d2e0a7 100644 --- a/detections/endpoint/suspicious_wevtutil_usage.yml +++ b/detections/endpoint/suspicious_wevtutil_usage.yml @@ -16,12 +16,12 @@ known_false_positives: The wevtutil.exe application is a legitimate Windows even references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml index 3c3c8e92e3..68240472f8 100644 --- a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml +++ b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml @@ -13,12 +13,12 @@ how_to_implement: To successfully implement this search you need to be ingesting known_false_positives: Because the Recycle Bin is a hidden folder in modern versions of Windows, it would be unusual for a process other than explorer.exe to write to it. Incidents should be investigated as appropriate. references: [] drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml index e0009d53e6..3f8ec89a97 100644 --- a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml @@ -18,12 +18,12 @@ references: - https://www.ired.team/offensive-security/persistence/t1053-schtask - https://lolbas-project.github.io/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/system_info_gathering_using_dxdiag_application.yml b/detections/endpoint/system_info_gathering_using_dxdiag_application.yml index 9565634ff4..3c95640e63 100644 --- a/detections/endpoint/system_info_gathering_using_dxdiag_application.yml +++ b/detections/endpoint/system_info_gathering_using_dxdiag_application.yml @@ -5,35 +5,14 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies the execution of the dxdiag.exe process - with specific command-line arguments, which is used to gather system information. - This detection leverages data from Endpoint Detection and Response (EDR) agents, - focusing on process creation events and command-line details. This activity is significant - because dxdiag.exe is rarely used in corporate environments and its execution may - indicate reconnaissance efforts by malicious actors. If confirmed malicious, this - activity could allow attackers to collect detailed system information, aiding in - further exploitation or lateral movement within the network. +description: The following analytic identifies the execution of the dxdiag.exe process with specific command-line arguments, which is used to gather system information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line details. This activity is significant because dxdiag.exe is rarely used in corporate environments and its execution may indicate reconnaissance efforts by malicious actors. If confirmed malicious, this activity could allow attackers to collect detailed system information, aiding in further exploitation or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_dxdiag` AND Processes.process - = "* /t *" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `system_info_gathering_using_dxdiag_application_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: This commandline can be used by a network administrator to - audit host machine specifications. Thus, a filter is needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_dxdiag` AND Processes.process = "* /t *" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_info_gathering_using_dxdiag_application_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: This commandline can be used by a network administrator to audit host machine specifications. Thus, a filter is needed. references: - https://app.any.run/tasks/df0baf9f-8baf-4c32-a452-16562ecb19be/ tags: @@ -76,7 +55,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/host_info_dxdiag/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/host_info_dxdiag/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index 62e1fc4020..4564981fd2 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -16,12 +16,12 @@ known_false_positives: Administrators debugging servers references: - https://web.archive.org/web/20210119205146/https://oscp.infosecsanyam.in/priv-escalation/windows-priv-escalation drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/system_processes_run_from_unexpected_locations.yml b/detections/endpoint/system_processes_run_from_unexpected_locations.yml index 3a0f86347a..dcfd6a9f86 100644 --- a/detections/endpoint/system_processes_run_from_unexpected_locations.yml +++ b/detections/endpoint/system_processes_run_from_unexpected_locations.yml @@ -17,12 +17,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml - https://attack.mitre.org/techniques/T1036/003/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/system_user_discovery_with_query.yml b/detections/endpoint/system_user_discovery_with_query.yml index 01d59c9428..eb0e65adc9 100644 --- a/detections/endpoint/system_user_discovery_with_query.yml +++ b/detections/endpoint/system_user_discovery_with_query.yml @@ -5,32 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `query.exe` with command-line - arguments aimed at discovering logged-in users. It leverages data from Endpoint - Detection and Response (EDR) agents, focusing on process names and command-line - executions. This activity is significant as adversaries may use `query.exe` to gain - situational awareness and perform Active Directory discovery on compromised endpoints. - If confirmed malicious, this behavior could allow attackers to identify active users, - aiding in further lateral movement and privilege escalation within the network. +description: The following analytic detects the execution of `query.exe` with command-line arguments aimed at discovering logged-in users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use `query.exe` to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this behavior could allow attackers to identify active users, aiding in further lateral movement and privilege escalation within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="query.exe") - (Processes.process=*user*) by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `system_user_discovery_with_query_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="query.exe") (Processes.process=*user*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_query_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ @@ -70,7 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/system_user_discovery_with_whoami.yml b/detections/endpoint/system_user_discovery_with_whoami.yml index 463ccf2d52..bb1d31cf1e 100644 --- a/detections/endpoint/system_user_discovery_with_whoami.yml +++ b/detections/endpoint/system_user_discovery_with_whoami.yml @@ -5,32 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `whoami.exe` without - any arguments. It leverages data from Endpoint Detection and Response (EDR) agents, - focusing on process execution logs. This activity is significant because both Red - Teams and adversaries use `whoami.exe` to identify the current logged-in user, aiding - in situational awareness and Active Directory discovery. If confirmed malicious, - this behavior could indicate an attacker is gathering information to further compromise - the system, potentially leading to privilege escalation or lateral movement within - the network. +description: The following analytic detects the execution of `whoami.exe` without any arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because both Red Teams and adversaries use `whoami.exe` to identify the current logged-in user, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could indicate an attacker is gathering information to further compromise the system, potentially leading to privilege escalation or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="whoami.exe") - by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_whoami_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="whoami.exe") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_whoami_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ @@ -74,7 +55,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/time_provider_persistence_registry.yml b/detections/endpoint/time_provider_persistence_registry.yml index 75686ebdcb..f04837d216 100644 --- a/detections/endpoint/time_provider_persistence_registry.yml +++ b/detections/endpoint/time_provider_persistence_registry.yml @@ -16,12 +16,12 @@ references: - https://pentestlab.blog/2019/10/22/persistence-time-providers/ - https://attack.mitre.org/techniques/T1547/003/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/trickbot_named_pipe.yml b/detections/endpoint/trickbot_named_pipe.yml index e19adfd052..0b99c4b0a8 100644 --- a/detections/endpoint/trickbot_named_pipe.yml +++ b/detections/endpoint/trickbot_named_pipe.yml @@ -16,12 +16,12 @@ references: - https://labs.vipre.com/trickbot-and-its-modules/ - https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml b/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml index 1e8b28e1c6..c214cac061 100644 --- a/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml +++ b/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml @@ -14,12 +14,12 @@ known_false_positives: unknown. all of the dll loaded by mmc.exe is microsoft si references: - https://offsec.almond.consulting/UAC-bypass-dotnet.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/uac_bypass_with_colorui_com_object.yml b/detections/endpoint/uac_bypass_with_colorui_com_object.yml index 415fb12aa4..ba04bc7c48 100644 --- a/detections/endpoint/uac_bypass_with_colorui_com_object.yml +++ b/detections/endpoint/uac_bypass_with_colorui_com_object.yml @@ -14,12 +14,12 @@ known_false_positives: not so common. but 3rd part app may load this dll. references: - https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/uninstall_app_using_msiexec.yml b/detections/endpoint/uninstall_app_using_msiexec.yml index 762b4bd35a..92c97108a3 100644 --- a/detections/endpoint/uninstall_app_using_msiexec.yml +++ b/detections/endpoint/uninstall_app_using_msiexec.yml @@ -16,12 +16,12 @@ known_false_positives: unknown. references: - https://threadreaderapp.com/thread/1423361119926816776.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml index e1b1ee20fc..c0959df676 100644 --- a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml +++ b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml @@ -15,12 +15,12 @@ references: - https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/ - https://www.thehacker.recipes/ad/movement/kerberos/ptk drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/unload_sysmon_filter_driver.yml b/detections/endpoint/unload_sysmon_filter_driver.yml index 21b7a23bca..b453db7779 100644 --- a/detections/endpoint/unload_sysmon_filter_driver.yml +++ b/detections/endpoint/unload_sysmon_filter_driver.yml @@ -16,12 +16,12 @@ known_false_positives: Unknown at the moment references: - https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/unloading_amsi_via_reflection.yml b/detections/endpoint/unloading_amsi_via_reflection.yml index 2ea9508c3c..551191cdd0 100644 --- a/detections/endpoint/unloading_amsi_via_reflection.yml +++ b/detections/endpoint/unloading_amsi_via_reflection.yml @@ -17,12 +17,12 @@ references: - https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml index 636054abdf..f8ede9c340 100644 --- a/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml +++ b/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml @@ -5,29 +5,12 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: experimental type: Hunting -description: 'The following analytic identifies an unusual number of computer service - ticket requests from a single source, leveraging Event ID 4769, "A Kerberos service - ticket was requested." It uses statistical analysis, including standard deviation - and the 3-sigma rule, to detect anomalies in service ticket requests. This activity - is significant as it may indicate malicious behavior such as lateral movement, malware - staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized - access to multiple endpoints, facilitating further compromise and potential data - exfiltration.' +description: The following analytic identifies an unusual number of computer service ticket requests from a single source, leveraging Event ID 4769, "A Kerberos service ticket was requested." It uses statistical analysis, including standard deviation and the 3-sigma rule, to detect anomalies in service ticket requests. This activity is significant as it may indicate malicious behavior such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, facilitating further compromise and potential data exfiltration. data_source: - Windows Event Log Security 4769 -search: '`wineventlog_security` EventCode=4769 Service_Name="*$" Account_Name!="*$*" - | bucket span=2m _time | stats dc(Service_Name) AS unique_targets values(Service_Name) - as host_targets by _time, Client_Address, Account_Name | eventstats avg(unique_targets) - as comp_avg , stdev(unique_targets) as comp_std by Client_Address, Account_Name - | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and - unique_targets >= upperBound, 1, 0) | `unusual_number_of_computer_service_tickets_requested_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - Domain Controller and Kerberos events. The Advanced Security Audit policy setting - `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -known_false_positives: An single endpoint requesting a large number of computer service - tickets is not common behavior. Possible false positive scenarios include but are - not limited to vulnerability scanners, administration systeams and missconfigured - systems. +search: '`wineventlog_security` EventCode=4769 Service_Name="*$" Account_Name!="*$*" | bucket span=2m _time | stats dc(Service_Name) AS unique_targets values(Service_Name) as host_targets by _time, Client_Address, Account_Name | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Client_Address, Account_Name | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_computer_service_tickets_requested_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. +known_false_positives: An single endpoint requesting a large number of computer service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systeams and missconfigured systems. references: - https://attack.mitre.org/techniques/T1078/ tags: diff --git a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml index 37755549fe..56ae60c45a 100644 --- a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml +++ b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1558/003/ - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting drilldown_searches: -- name: View the detection results for $src$ - search: '%original_detection_search% | search src = $src$' +- name: View the detection results for - "$src$" + search: '%original_detection_search% | search src = "$src$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml b/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml index 37f1e465d0..7bc1ff16b7 100644 --- a/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml +++ b/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml @@ -5,29 +5,12 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: experimental type: Hunting -description: 'The following analytic identifies an unusual number of remote authentication - attempts from a single source by leveraging Windows Event ID 4624, which logs successful - account logons. It uses statistical analysis, specifically the 3-sigma rule, to - detect deviations from normal behavior. This activity is significant for a SOC as - it may indicate lateral movement, malware staging, or reconnaissance. If confirmed - malicious, this behavior could allow an attacker to move laterally within the network, - escalate privileges, or gather information for further attacks.' +description: The following analytic identifies an unusual number of remote authentication attempts from a single source by leveraging Windows Event ID 4624, which logs successful account logons. It uses statistical analysis, specifically the 3-sigma rule, to detect deviations from normal behavior. This activity is significant for a SOC as it may indicate lateral movement, malware staging, or reconnaissance. If confirmed malicious, this behavior could allow an attacker to move laterally within the network, escalate privileges, or gather information for further attacks. data_source: - Windows Event Log Security 4624 -search: '`wineventlog_security` EventCode=4624 Logon_Type=3 Account_Name!="*$" | - eval Source_Account = mvindex(Account_Name, 1) | bucket span=2m _time | stats dc(ComputerName) - AS unique_targets values(ComputerName) as target_hosts by _time, Source_Network_Address, - Source_Account | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) - as comp_std by Source_Network_Address, Source_Account | eval upperBound=(comp_avg+comp_std*3) - | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | - `unusual_number_of_remote_endpoint_authentication_events_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - Windows Event Logs from domain controllers as well as member servers and workstations. - The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs - to be enabled. -known_false_positives: An single endpoint authenticating to a large number of hosts - is not common behavior. Possible false positive scenarios include but are not limited - to vulnerability scanners, jump servers and missconfigured systems. +search: '`wineventlog_security` EventCode=4624 Logon_Type=3 Account_Name!="*$" | eval Source_Account = mvindex(Account_Name, 1) | bucket span=2m _time | stats dc(ComputerName) AS unique_targets values(ComputerName) as target_hosts by _time, Source_Network_Address, Source_Account | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Source_Network_Address, Source_Account | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_remote_endpoint_authentication_events_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. +known_false_positives: An single endpoint authenticating to a large number of hosts is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, jump servers and missconfigured systems. references: - https://attack.mitre.org/techniques/T1078/ tags: diff --git a/detections/endpoint/unusually_long_command_line.yml b/detections/endpoint/unusually_long_command_line.yml index fdfbe617b2..3feac13ffb 100644 --- a/detections/endpoint/unusually_long_command_line.yml +++ b/detections/endpoint/unusually_long_command_line.yml @@ -5,29 +5,13 @@ date: '2024-10-17' author: David Dorsey, Splunk status: experimental type: Anomaly -description: |- - The following analytic detects unusually long command lines, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on the length of command lines executed on hosts. This behavior is significant because attackers often use obfuscated or complex command lines to evade detection and execute malicious payloads. If confirmed malicious, this activity could lead to data theft, ransomware deployment, or further system compromise. Analysts should investigate the source and content of the command line, inspect relevant artifacts, and review concurrent processes to identify potential threats. +description: The following analytic detects unusually long command lines, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on the length of command lines executed on hosts. This behavior is significant because attackers often use obfuscated or complex command lines to evade detection and execute malicious payloads. If confirmed malicious, this activity could lead to data theft, ransomware deployment, or further system compromise. Analysts should investigate the source and content of the command line, inspect relevant artifacts, and review concurrent processes to identify potential threats. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name - Processes.process | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen) - as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) - as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process - | `unusually_long_command_line_filter` |eval threshold = 3 | where maxlen > ((threshold*stdevperhost) - + avgperhost)' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen) as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process | `unusually_long_command_line_filter` |eval threshold = 3 | where maxlen > ((threshold*stdevperhost) + avgperhost)' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Some legitimate applications start with long command lines. references: [] tags: diff --git a/detections/endpoint/unusually_long_command_line___mltk.yml b/detections/endpoint/unusually_long_command_line___mltk.yml index 9ce795ebb6..42ad5a5b3f 100644 --- a/detections/endpoint/unusually_long_command_line___mltk.yml +++ b/detections/endpoint/unusually_long_command_line___mltk.yml @@ -5,41 +5,14 @@ date: '2024-10-17' author: Rico Valdez, Splunk status: experimental type: Anomaly -description: The following analytic identifies unusually long command lines executed - on hosts, which may indicate malicious activity. It leverages the Machine Learning - Toolkit (MLTK) to detect command lines with lengths that deviate from the norm for - a given user. This is significant for a SOC as unusually long command lines can - be a sign of obfuscation or complex malicious scripts. If confirmed malicious, this - activity could allow attackers to execute sophisticated commands, potentially leading - to unauthorized access, data exfiltration, or further compromise of the system. +description: The following analytic identifies unusually long command lines executed on hosts, which may indicate malicious activity. It leverages the Machine Learning Toolkit (MLTK) to detect command lines with lengths that deviate from the norm for a given user. This is significant for a SOC as unusually long command lines can be a sign of obfuscation or complex malicious scripts. If confirmed malicious, this activity could allow attackers to execute sophisticated commands, potentially leading to unauthorized access, data exfiltration, or further compromise of the system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name - Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)`| eval processlen=len(process) | search user!=unknown - | apply cmdline_pdfmodel threshold=0.01 | rename "IsOutlier(processlen)" as isOutlier - | search isOutlier > 0 | table firstTime lastTime user dest process_name process - processlen count | `unusually_long_command_line___mltk_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Some legitimate applications use long command lines for installs - or updates. You should review identified command lines for legitimacy. You may modify - the first part of the search to omit legitimate command lines from consideration. - If you are seeing more results than desired, you may consider changing the value - of threshold in the search to a smaller value. You should also periodically re-run - the support search to re-build the ML model on the latest data. You may get unexpected - results if the user identified in the results is not present in the data used to - build the associated model. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | search user!=unknown | apply cmdline_pdfmodel threshold=0.01 | rename "IsOutlier(processlen)" as isOutlier | search isOutlier > 0 | table firstTime lastTime user dest process_name process processlen count | `unusually_long_command_line___mltk_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Some legitimate applications use long command lines for installs or updates. You should review identified command lines for legitimacy. You may modify the first part of the search to omit legitimate command lines from consideration. If you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. You should also periodically re-run the support search to re-build the ML model on the latest data. You may get unexpected results if the user identified in the results is not present in the data used to build the associated model. references: [] tags: analytic_story: diff --git a/detections/endpoint/user_discovery_with_env_vars_powershell.yml b/detections/endpoint/user_discovery_with_env_vars_powershell.yml index bf59373282..ee9bb7977a 100644 --- a/detections/endpoint/user_discovery_with_env_vars_powershell.yml +++ b/detections/endpoint/user_discovery_with_env_vars_powershell.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the execution of `powershell.exe` with - command-line arguments that use PowerShell environment variables to identify the - current logged user. It leverages data from Endpoint Detection and Response (EDR) - agents, focusing on process names and command-line executions. This activity is - significant as adversaries may use it for situational awareness and Active Directory - discovery on compromised endpoints. If confirmed malicious, this behavior could - allow attackers to gather critical user information, aiding in further exploitation - and lateral movement within the network. +description: The following analytic detects the execution of `powershell.exe` with command-line arguments that use PowerShell environment variables to identify the current logged user. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use it for situational awareness and Active Directory discovery on compromised endpoints. If confirmed malicious, this behavior could allow attackers to gather critical user information, aiding in further exploitation and lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") - (Processes.process="*$env:UserName*" OR Processes.process="*[System.Environment]::UserName*") - by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process="*$env:UserName*" OR Processes.process="*[System.Environment]::UserName*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ @@ -71,7 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml b/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml index 9ca70d2719..89a7ff5880 100644 --- a/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml +++ b/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml @@ -5,26 +5,12 @@ date: '2024-10-17' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic detects the use of PowerShell environment variables - to identify the current logged user by leveraging PowerShell Script Block Logging - (EventCode=4104). This method monitors script blocks containing `$env:UserName` - or `[System.Environment]::UserName`. Identifying this activity is significant as - adversaries and Red Teams may use it for situational awareness and Active Directory - discovery on compromised endpoints. If confirmed malicious, this activity could - allow attackers to gain insights into user context, aiding in further exploitation - and lateral movement within the network. +description: The following analytic detects the use of PowerShell environment variables to identify the current logged user by leveraging PowerShell Script Block Logging (EventCode=4104). This method monitors script blocks containing `$env:UserName` or `[System.Environment]::UserName`. Identifying this activity is significant as adversaries and Red Teams may use it for situational awareness and Active Directory discovery on compromised endpoints. If confirmed malicious, this activity could allow attackers to gain insights into user context, aiding in further exploitation and lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*$env:UserName*" OR ScriptBlockText - = "*[System.Environment]::UserName*") | stats count min(_time) as firstTime max(_time) - as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, - user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `user_discovery_with_env_vars_powershell_script_block_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use this PowerShell commandlet - for troubleshooting. +search: '`powershell` EventCode=4104 (ScriptBlockText = "*$env:UserName*" OR ScriptBlockText = "*[System.Environment]::UserName*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_script_block_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting. references: - https://attack.mitre.org/techniques/T1033/ tags: @@ -62,7 +48,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/usn_journal_deletion.yml b/detections/endpoint/usn_journal_deletion.yml index d62d9c52a8..a3cee3e80a 100644 --- a/detections/endpoint/usn_journal_deletion.yml +++ b/detections/endpoint/usn_journal_deletion.yml @@ -15,12 +15,12 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: None identified references: [] drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/vbscript_execution_using_wscript_app.yml b/detections/endpoint/vbscript_execution_using_wscript_app.yml index d66e755b65..2cedd04375 100644 --- a/detections/endpoint/vbscript_execution_using_wscript_app.yml +++ b/detections/endpoint/vbscript_execution_using_wscript_app.yml @@ -17,12 +17,12 @@ references: - https://www.joesandbox.com/analysis/369332/0/html - https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/verclsid_clsid_execution.yml b/detections/endpoint/verclsid_clsid_execution.yml index f3d46fde50..8214dd95e1 100644 --- a/detections/endpoint/verclsid_clsid_execution.yml +++ b/detections/endpoint/verclsid_clsid_execution.yml @@ -5,37 +5,14 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the potential abuse of the verclsid.exe - utility to execute malicious files via generated CLSIDs. It leverages data from - Endpoint Detection and Response (EDR) agents, focusing on specific command-line - patterns associated with verclsid.exe. This activity is significant because verclsid.exe - is a legitimate Windows application used to verify CLSID COM objects, and its misuse - can indicate an attempt to bypass security controls. If confirmed malicious, this - technique could allow an attacker to execute arbitrary code, potentially leading - to system compromise or further malicious activities. +description: The following analytic detects the potential abuse of the verclsid.exe utility to execute malicious files via generated CLSIDs. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with verclsid.exe. This activity is significant because verclsid.exe is a legitimate Windows application used to verify CLSID COM objects, and its misuse can indicate an attempt to bypass security controls. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, potentially leading to system compromise or further malicious activities. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process - values(Processes.parent_process) as parent_process values(Processes.process_id) - as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where `process_verclsid` AND Processes.process="*/S*" Processes.process="*/C*" AND Processes.process="*{*" - AND Processes.process="*}*" by Processes.process_name Processes.original_file_name - Processes.dest Processes.user Processes.parent_process_name Processes.parent_process - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `verclsid_clsid_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: windows can used this application for its normal COM object - validation. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_verclsid` AND Processes.process="*/S*" Processes.process="*/C*" AND Processes.process="*{*" AND Processes.process="*}*" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `verclsid_clsid_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: windows can used this application for its normal COM object validation. references: - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ @@ -45,8 +22,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: process $process_name$ to execute possible clsid commandline $process$ - in $dest$ + message: process $process_name$ to execute possible clsid commandline $process$ in $dest$ mitre_attack_id: - T1218.012 - T1218 @@ -81,7 +57,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.012/verclsid_exec/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.012/verclsid_exec/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/w3wp_spawning_shell.yml b/detections/endpoint/w3wp_spawning_shell.yml index 04e7e23fd1..58537bedab 100644 --- a/detections/endpoint/w3wp_spawning_shell.yml +++ b/detections/endpoint/w3wp_spawning_shell.yml @@ -19,12 +19,12 @@ references: - https://www.youtube.com/watch?v=FC6iHw258RI - https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/wbadmin_delete_system_backups.yml b/detections/endpoint/wbadmin_delete_system_backups.yml index 6ef373d9b1..711f67ee0f 100644 --- a/detections/endpoint/wbadmin_delete_system_backups.yml +++ b/detections/endpoint/wbadmin_delete_system_backups.yml @@ -19,12 +19,12 @@ references: - https://attack.mitre.org/techniques/T1490/ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/wbemprox_com_object_execution.yml b/detections/endpoint/wbemprox_com_object_execution.yml index d66110370a..1c0f20aa16 100644 --- a/detections/endpoint/wbemprox_com_object_execution.yml +++ b/detections/endpoint/wbemprox_com_object_execution.yml @@ -15,12 +15,12 @@ references: - https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/ - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml b/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml index 8c4ed51da4..be38120750 100644 --- a/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml +++ b/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml @@ -15,12 +15,12 @@ references: - https://labs.vipre.com/trickbot-and-its-modules/ - https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/wermgr_process_create_executable_file.yml b/detections/endpoint/wermgr_process_create_executable_file.yml index bb27eb04ff..a2e112a1cc 100644 --- a/detections/endpoint/wermgr_process_create_executable_file.yml +++ b/detections/endpoint/wermgr_process_create_executable_file.yml @@ -15,12 +15,12 @@ references: - https://labs.vipre.com/trickbot-and-its-modules/ - https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml index 1ea976136a..643944fe5e 100644 --- a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml +++ b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml @@ -17,12 +17,12 @@ references: - https://labs.vipre.com/trickbot-and-its-modules/ - https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/wget_download_and_bash_execution.yml b/detections/endpoint/wget_download_and_bash_execution.yml index fa5fe68bbd..7588d7bf5b 100644 --- a/detections/endpoint/wget_download_and_bash_execution.yml +++ b/detections/endpoint/wget_download_and_bash_execution.yml @@ -18,12 +18,12 @@ references: - https://www.lunasec.io/docs/blog/log4j-zero-day/ - https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_abused_web_services.yml b/detections/endpoint/windows_abused_web_services.yml index dd11896bee..3e031ce9c4 100644 --- a/detections/endpoint/windows_abused_web_services.yml +++ b/detections/endpoint/windows_abused_web_services.yml @@ -14,12 +14,12 @@ known_false_positives: Noise and false positive can be seen if the following ins references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml index 4368137965..dcbbc013b3 100644 --- a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml +++ b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml @@ -18,12 +18,12 @@ references: - https://atomicredteam.io/privilege-escalation/T1134.001/#atomic-test-2---%60sedebugprivilege%60-token-duplication - https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml b/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml index 70ab947335..58b172de9b 100644 --- a/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml +++ b/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml @@ -5,27 +5,12 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects a process attempting to access winlogon.exe - to duplicate its handle. This is identified using Sysmon EventCode 10, focusing - on processes targeting winlogon.exe with specific access rights. This activity is - significant because it is a common technique used by adversaries to escalate privileges - by leveraging the high privileges and security tokens associated with winlogon.exe. - If confirmed malicious, this could allow an attacker to gain elevated privileges, - potentially leading to full system compromise and unauthorized access to sensitive - information. +description: The following analytic detects a process attempting to access winlogon.exe to duplicate its handle. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights. This activity is significant because it is a common technique used by adversaries to escalate privileges by leveraging the high privileges and security tokens associated with winlogon.exe. If confirmed malicious, this could allow an attacker to gain elevated privileges, potentially leading to full system compromise and unauthorized access to sensitive information. data_source: - Sysmon EventID 10 -search: '`sysmon` EventCode=10 TargetImage IN("*\\system32\\winlogon.exe*", "*\\SysWOW64\\winlogon.exe*") - GrantedAccess = 0x1040 | stats count min(_time) as firstTime max(_time) as lastTime - by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId - GrantedAccess CallTrace dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_access_token_manipulation_winlogon_duplicate_token_handle_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data - that records process activity from your hosts to populate the endpoint data model - in the processes node. If you are using Sysmon, you must have at least version 6.0.4 - of the Sysmon TA. -known_false_positives: It is possible legitimate applications will request access - to winlogon, filter as needed. +search: '`sysmon` EventCode=10 TargetImage IN("*\\system32\\winlogon.exe*", "*\\SysWOW64\\winlogon.exe*") GrantedAccess = 0x1040 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_winlogon_duplicate_token_handle_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: It is possible legitimate applications will request access to winlogon, filter as needed. references: - https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-duplicatehandle - https://attack.mitre.org/techniques/T1134/001/ @@ -35,8 +20,7 @@ tags: asset_type: Endpoint confidence: 60 impact: 60 - message: A process $SourceImage$ is duplicating the handle token of winlogon.exe - in $dest$ + message: A process $SourceImage$ is duplicating the handle token of winlogon.exe in $dest$ mitre_attack_id: - T1134.001 - T1134 @@ -70,8 +54,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml index 1308bef382..3b2e1e6897 100644 --- a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml +++ b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml @@ -15,12 +15,12 @@ references: - https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-duplicatehandle - https://attack.mitre.org/techniques/T1134/001/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml b/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml index f312ed1a20..a20fdd8e7a 100644 --- a/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml +++ b/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml @@ -7,24 +7,10 @@ status: production type: Hunting data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the execution of the PowerView PowerShell - cmdlet Get-NetUser with the UACFilter parameter set to NOT_ACCOUNTDISABLE, indicating - an attempt to enumerate Active Directory user accounts that are not disabled. This - detection leverages PowerShell Script Block Logging (EventCode 4104) to identify - the specific script block text. Monitoring this activity is significant as it may - indicate reconnaissance efforts by an attacker to identify active user accounts - for further exploitation. If confirmed malicious, this activity could lead to unauthorized - access, privilege escalation, or lateral movement within the network. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText - = "*NOT_ACCOUNTDISABLE*" ScriptBlockText = "*-UACFilter*" | rename Computer as dest, - UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode - ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_account_discovery_for_none_disable_user_account_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -known_false_positives: Administrators may leverage PowerView for legitimate purposes, - filter as needed. +description: The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the UACFilter parameter set to NOT_ACCOUNTDISABLE, indicating an attempt to enumerate Active Directory user accounts that are not disabled. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify the specific script block text. Monitoring this activity is significant as it may indicate reconnaissance efforts by an attacker to identify active user accounts for further exploitation. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or lateral movement within the network. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText = "*NOT_ACCOUNTDISABLE*" ScriptBlockText = "*-UACFilter*" | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_for_none_disable_user_account_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= +known_false_positives: Administrators may leverage PowerView for legitimate purposes, filter as needed. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a - https://powersploit.readthedocs.io/en/stable/Recon/README/ @@ -36,8 +22,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 30 - message: Windows Account Discovery for None Disable User Account using PowerView's - Get-NetUser on $dest$. + message: Windows Account Discovery for None Disable User Account using PowerView's Get-NetUser on $dest$. mitre_attack_id: - T1087 - T1087.001 @@ -61,7 +46,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_account_discovery_for_sam_account_name.yml b/detections/endpoint/windows_account_discovery_for_sam_account_name.yml index ea28b76d13..0f1693ea81 100644 --- a/detections/endpoint/windows_account_discovery_for_sam_account_name.yml +++ b/detections/endpoint/windows_account_discovery_for_sam_account_name.yml @@ -14,12 +14,12 @@ known_false_positives: Administrators may leverage PowerView for legitimate purp references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml b/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml index b6b9f83713..9a35ddef7c 100644 --- a/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml +++ b/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml @@ -7,23 +7,10 @@ status: production type: Hunting data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the execution of the PowerView PowerShell - cmdlet Get-NetUser with the -PreauthNotRequire parameter, leveraging Event ID 4104. - This method identifies attempts to query Active Directory user accounts that do - not require Kerberos preauthentication. Monitoring this activity is crucial as it - can indicate reconnaissance efforts by an attacker to identify potentially vulnerable - accounts. If confirmed malicious, this behavior could lead to further exploitation, - such as unauthorized access or privilege escalation within the network. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText - = "*-PreauthNotRequire*" | rename Computer as dest, UserID as user | stats count - min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest - user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_account_discovery_with_netuser_preauthnotrequire_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -known_false_positives: Administrators may leverage PowerView for legitimate purposes, - filter as needed. +description: The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the -PreauthNotRequire parameter, leveraging Event ID 4104. This method identifies attempts to query Active Directory user accounts that do not require Kerberos preauthentication. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker to identify potentially vulnerable accounts. If confirmed malicious, this behavior could lead to further exploitation, such as unauthorized access or privilege escalation within the network. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText = "*-PreauthNotRequire*" | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_with_netuser_preauthnotrequire_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= +known_false_positives: Administrators may leverage PowerView for legitimate purposes, filter as needed. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a tags: @@ -32,8 +19,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 30 - message: A user dicovery using powerview commandlet Get-NetUser with PreauthNotRequire - parameter on $dest$. + message: A user dicovery using powerview commandlet Get-NetUser with PreauthNotRequire parameter on $dest$. mitre_attack_id: - T1087 observable: @@ -56,7 +42,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml index 3bae6110c0..3bbe348601 100644 --- a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml +++ b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml @@ -16,12 +16,12 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 - https://attack.mitre.org/tactics/TA0007/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml b/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml index 44d7f15b33..7278ed7266 100644 --- a/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml +++ b/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml @@ -21,12 +21,12 @@ references: - https://medium.com/@cryps1s/detecting-windows-endpoint-compromise-with-sacls-cd748e10950 - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml b/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml index f8300fb3fb..11f074b032 100644 --- a/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml @@ -17,12 +17,12 @@ references: - https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN - https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute drilldown_searches: -- name: View the detection results for $src_user$ and $user$ - search: '%original_detection_search% | search src_user = $src_user$ user = $user$' +- name: View the detection results for - "$src_user$" and "$user$" + search: '%original_detection_search% | search src_user = "$src_user$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml b/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml index f3ff03fd83..6485f3285e 100644 --- a/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml +++ b/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml @@ -14,12 +14,12 @@ known_false_positives: Unknown references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_ad_domain_controller_promotion.yml b/detections/endpoint/windows_ad_domain_controller_promotion.yml index 94f991e51e..91ead7485b 100644 --- a/detections/endpoint/windows_ad_domain_controller_promotion.yml +++ b/detections/endpoint/windows_ad_domain_controller_promotion.yml @@ -14,12 +14,12 @@ known_false_positives: None. references: - https://attack.mitre.org/techniques/T1207/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml index 5159dbdad0..1c9514e77c 100644 --- a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml +++ b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml @@ -16,12 +16,12 @@ references: - https://github.com/SigmaHQ/sigma/blob/29a5c62784faf986dc03952ae3e90e3df3294284/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory drilldown_searches: -- name: View the detection results for $user$ and $src_user$ - search: '%original_detection_search% | search user = $user$ src_user = $src_user$' +- name: View the detection results for - "$user$" and "$src_user$" + search: '%original_detection_search% | search user = "$user$" src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_ad_dsrm_account_changes.yml b/detections/endpoint/windows_ad_dsrm_account_changes.yml index 765a5986a2..a72f5e68a8 100644 --- a/detections/endpoint/windows_ad_dsrm_account_changes.yml +++ b/detections/endpoint/windows_ad_dsrm_account_changes.yml @@ -15,12 +15,12 @@ known_false_positives: Disaster recovery events. references: - https://adsecurity.org/?p=1714 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_ad_dsrm_password_reset.yml b/detections/endpoint/windows_ad_dsrm_password_reset.yml index 29d7550d91..4af7284df5 100644 --- a/detections/endpoint/windows_ad_dsrm_password_reset.yml +++ b/detections/endpoint/windows_ad_dsrm_password_reset.yml @@ -14,12 +14,12 @@ known_false_positives: Resetting the DSRM password for legitamate reasons, i.e. references: - https://adsecurity.org/?p=1714 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml b/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml index 20c7ac08f1..21b14452db 100644 --- a/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml @@ -15,12 +15,12 @@ known_false_positives: Migration of privileged accounts. references: - https://adsecurity.org/?p=1772 drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_ad_privileged_object_access_activity.yml b/detections/endpoint/windows_ad_privileged_object_access_activity.yml index 40343ba362..b6c78f36bf 100644 --- a/detections/endpoint/windows_ad_privileged_object_access_activity.yml +++ b/detections/endpoint/windows_ad_privileged_object_access_activity.yml @@ -16,12 +16,12 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 - https://attack.mitre.org/tactics/TA0007/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml b/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml index 5bbb3d223c..258b53af8f 100644 --- a/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml +++ b/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml @@ -16,12 +16,12 @@ references: - https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer - https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml index 6b759e4dc6..7aea6dbd89 100644 --- a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml +++ b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml @@ -17,12 +17,12 @@ references: - https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer - https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml b/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml index 9330346a13..f8a726c1c9 100644 --- a/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml @@ -18,12 +18,12 @@ references: - https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/sid-history-injection drilldown_searches: -- name: View the detection results for $src_user$ and $user$ - search: '%original_detection_search% | search src_user = $src_user$ user = $user$' +- name: View the detection results for - "$src_user$" and "$user$" + search: '%original_detection_search% | search src_user = "$src_user$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml index 56a611bc4e..05f3e86acc 100644 --- a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml +++ b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml @@ -17,12 +17,12 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136 - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting drilldown_searches: -- name: View the detection results for $ObjectDN$ - search: '%original_detection_search% | search ObjectDN = $ObjectDN$' +- name: View the detection results for - "$ObjectDN$" + search: '%original_detection_search% | search ObjectDN = "$ObjectDN$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $ObjectDN$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($ObjectDN$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$ObjectDN$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$ObjectDN$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml b/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml index f42abadb35..4e50edd550 100644 --- a/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml +++ b/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml @@ -17,12 +17,12 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136 - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml b/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml index b5ab1db1d6..c6051c7714 100644 --- a/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml +++ b/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml @@ -19,12 +19,12 @@ references: - https://attack.mitre.org/techniques/T1207/ - https://blog.alsid.eu/dcshadow-explained-4510f52fc19d drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_ad_short_lived_server_object.yml b/detections/endpoint/windows_ad_short_lived_server_object.yml index 6139af3f98..db574e9d18 100644 --- a/detections/endpoint/windows_ad_short_lived_server_object.yml +++ b/detections/endpoint/windows_ad_short_lived_server_object.yml @@ -20,12 +20,12 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5137 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5141 drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_ad_sid_history_attribute_modified.yml b/detections/endpoint/windows_ad_sid_history_attribute_modified.yml index a85f167b75..429e177649 100644 --- a/detections/endpoint/windows_ad_sid_history_attribute_modified.yml +++ b/detections/endpoint/windows_ad_sid_history_attribute_modified.yml @@ -17,12 +17,12 @@ references: - https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/sid-history-injection drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_adfind_exe.yml b/detections/endpoint/windows_adfind_exe.yml index 1dafa9698c..77872b400e 100644 --- a/detections/endpoint/windows_adfind_exe.yml +++ b/detections/endpoint/windows_adfind_exe.yml @@ -11,30 +11,20 @@ data_source: - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where ((Processes.process="* -f *" OR Processes.process="* -b *") AND (Processes.process=*objectcategory* OR Processes.process="*-gcb *" OR Processes.process="* -sc *" )) OR ((Processes.process="*trustdmp*" OR Processes.process="*dclist*")) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_adfind_exe_filter`| `windows_adfind_exe_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: ADfind is a command-line tool for AD administration and management - that is seen to be leveraged by various adversaries. Filter out legitimate administrator - usage using the filter macro. +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: ADfind is a command-line tool for AD administration and management that is seen to be leveraged by various adversaries. Filter out legitimate administrator usage using the filter macro. references: - https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ - https://www.mandiant.com/resources/a-nasty-trick-from-credential-theft-malware-to-business-disruption - https://www.joeware.net/freetools/tools/adfind/index.htm - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: @@ -82,4 +72,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_admin_permission_discovery.yml b/detections/endpoint/windows_admin_permission_discovery.yml index 67f6a01cdb..27fec4c315 100644 --- a/detections/endpoint/windows_admin_permission_discovery.yml +++ b/detections/endpoint/windows_admin_permission_discovery.yml @@ -14,12 +14,12 @@ known_false_positives: False positives may occur if there are legitimate account references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml b/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml index b3f33eb374..481e1aa230 100644 --- a/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml +++ b/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml @@ -19,12 +19,12 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145 drilldown_searches: -- name: View the detection results for $host_targets$ - search: '%original_detection_search% | search host_targets = $host_targets$' +- name: View the detection results for - "$host_targets$" + search: '%original_detection_search% | search host_targets = "$host_targets$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $host_targets$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host_targets$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$host_targets$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host_targets$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml index e07cb6177b..2f7c780133 100644 --- a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml +++ b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml @@ -18,12 +18,12 @@ references: - https://adsecurity.org/?p=2716 - https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory drilldown_searches: -- name: View the detection results for $dcName$ - search: '%original_detection_search% | search dcName = $dcName$' +- name: View the detection results for - "$dcName$" + search: '%original_detection_search% | search dcName = "$dcName$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dcName$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dcName$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dcName$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dcName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_admon_group_policy_object_created.yml b/detections/endpoint/windows_admon_group_policy_object_created.yml index 25fdab2e4c..bea6685566 100644 --- a/detections/endpoint/windows_admon_group_policy_object_created.yml +++ b/detections/endpoint/windows_admon_group_policy_object_created.yml @@ -18,12 +18,12 @@ references: - https://adsecurity.org/?p=2716 - https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory drilldown_searches: -- name: View the detection results for $dcName$ - search: '%original_detection_search% | search dcName = $dcName$' +- name: View the detection results for - "$dcName$" + search: '%original_detection_search% | search dcName = "$dcName$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dcName$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dcName$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dcName$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dcName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_alternate_datastream___base64_content.yml b/detections/endpoint/windows_alternate_datastream___base64_content.yml index 9fc75dfbe7..fbd6af92e9 100644 --- a/detections/endpoint/windows_alternate_datastream___base64_content.yml +++ b/detections/endpoint/windows_alternate_datastream___base64_content.yml @@ -18,12 +18,12 @@ references: - https://blog.netwrix.com/2022/12/16/alternate_data_stream/ - https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/file-stream-creation-hash.md drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_alternate_datastream___executable_content.yml b/detections/endpoint/windows_alternate_datastream___executable_content.yml index 54746ae983..13fcf8e761 100644 --- a/detections/endpoint/windows_alternate_datastream___executable_content.yml +++ b/detections/endpoint/windows_alternate_datastream___executable_content.yml @@ -16,12 +16,12 @@ references: - https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams - https://twitter.com/0xrawsec/status/1002478725605273600?s=21 drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_alternate_datastream___process_execution.yml b/detections/endpoint/windows_alternate_datastream___process_execution.yml index 4df3eb6546..4bf821580d 100644 --- a/detections/endpoint/windows_alternate_datastream___process_execution.yml +++ b/detections/endpoint/windows_alternate_datastream___process_execution.yml @@ -18,12 +18,12 @@ references: - https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams - https://blog.netwrix.com/2022/12/16/alternate_data_stream/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_apache_benchmark_binary.yml b/detections/endpoint/windows_apache_benchmark_binary.yml index 343f59c430..3087896da9 100644 --- a/detections/endpoint/windows_apache_benchmark_binary.yml +++ b/detections/endpoint/windows_apache_benchmark_binary.yml @@ -16,12 +16,12 @@ known_false_positives: False positives should be limited as there is a small sub references: - https://seclists.org/metasploit/2013/q3/13 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml b/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml index 30335e6200..db73d7f0c0 100644 --- a/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml +++ b/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml @@ -17,12 +17,12 @@ references: - https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html - https://www.elastic.co/security-labs/qbot-malware-analysis drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml b/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml index 41e3d62e44..643ba7c867 100644 --- a/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml +++ b/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml @@ -16,12 +16,12 @@ references: - https://strontic.github.io/xcyclopedia/library/wermgr.exe-0F652BF7ADA772981E8AAB0D108FCC92.html - https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml b/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml index 1333ee9849..0453680bac 100644 --- a/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml +++ b/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml @@ -16,12 +16,12 @@ references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ - https://attack.mitre.org/techniques/T1071/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_applocker_block_events.yml b/detections/endpoint/windows_applocker_block_events.yml index 45c831788e..7116ed546d 100644 --- a/detections/endpoint/windows_applocker_block_events.yml +++ b/detections/endpoint/windows_applocker_block_events.yml @@ -15,12 +15,12 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_applocker_execution_from_uncommon_locations.yml b/detections/endpoint/windows_applocker_execution_from_uncommon_locations.yml index 6e46faaf46..64f1962ccd 100644 --- a/detections/endpoint/windows_applocker_execution_from_uncommon_locations.yml +++ b/detections/endpoint/windows_applocker_execution_from_uncommon_locations.yml @@ -6,31 +6,10 @@ author: Michael Haag, Splunk data_source: [] type: Hunting status: production -description: The following analytic identifies the execution of applications or scripts - from uncommon or suspicious file paths, potentially indicating malware or unauthorized - activity. It leverages Windows AppLocker event logs and uses statistical analysis - to detect anomalies. By calculating the average and standard deviation of execution - counts per file path, it flags paths with execution counts significantly higher - than expected. This behavior is significant as it can uncover malicious activities - or policy violations. If confirmed malicious, this activity could allow attackers - to execute unauthorized code, leading to potential system compromise or data breaches. -search: '`applocker` | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer - as dest, TargetUser AS user | stats count min(_time) as firstTime max(_time) as - lastTime by dest, PolicyName, RuleId, user, TargetProcessId, FilePath, FullFilePath - | eventstats avg(count) as avg, stdev(count) as stdev | eval upperBound=(avg+stdev*2), - anomaly=if(count > upperBound, "Yes", "No") | where anomaly="Yes" | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_applocker_execution_from_uncommon_locations_filter`' -how_to_implement: The analytic is designed to be run against Windows AppLocker event - logs collected from endpoints with AppLocker enabled. If using Microsoft Defender - for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match - the block events for AppLocker. The analytic requires the AppLocker event logs to - be ingested into Splunk. Note that, an additional method to reduce any false positives - would be to add the specific EventCodes - 8003 or 8004 and filter from there. Upon - tuning, modify to Anomaly or TTP. -known_false_positives: False positives are possible if legitimate users are executing - applications from file paths that are not permitted by AppLocker. It is recommended - to investigate the context of the application execution to determine if it is malicious - or not. Modify the threshold as needed to reduce false positives. +description: The following analytic identifies the execution of applications or scripts from uncommon or suspicious file paths, potentially indicating malware or unauthorized activity. It leverages Windows AppLocker event logs and uses statistical analysis to detect anomalies. By calculating the average and standard deviation of execution counts per file path, it flags paths with execution counts significantly higher than expected. This behavior is significant as it can uncover malicious activities or policy violations. If confirmed malicious, this activity could allow attackers to execute unauthorized code, leading to potential system compromise or data breaches. +search: '`applocker` | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user | stats count min(_time) as firstTime max(_time) as lastTime by dest, PolicyName, RuleId, user, TargetProcessId, FilePath, FullFilePath | eventstats avg(count) as avg, stdev(count) as stdev | eval upperBound=(avg+stdev*2), anomaly=if(count > upperBound, "Yes", "No") | where anomaly="Yes" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_applocker_execution_from_uncommon_locations_filter`' +how_to_implement: The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. Note that, an additional method to reduce any false positives would be to add the specific EventCodes - 8003 or 8004 and filter from there. Upon tuning, modify to Anomaly or TTP. +known_false_positives: False positives are possible if legitimate users are executing applications from file paths that are not permitted by AppLocker. It is recommended to investigate the context of the application execution to determine if it is malicious or not. Modify the threshold as needed to reduce false positives. references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker @@ -62,7 +41,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/applocker/applocker.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/applocker/applocker.log sourcetype: xmlwineventlog source: XmlWinEventLog:Microsoft-Windows-AppLocker/MSI and Script diff --git a/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml b/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml index 3b289fe83e..9034be7fbd 100644 --- a/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml +++ b/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml @@ -14,12 +14,12 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_applocker_rare_application_launch_detection.yml b/detections/endpoint/windows_applocker_rare_application_launch_detection.yml index d1e9808b17..ca218f2c8f 100644 --- a/detections/endpoint/windows_applocker_rare_application_launch_detection.yml +++ b/detections/endpoint/windows_applocker_rare_application_launch_detection.yml @@ -6,28 +6,10 @@ author: Michael Haag, Splunk data_source: [] type: Hunting status: production -description: The following analytic detects the launch of rarely used applications - within the environment, which may indicate the use of potentially malicious software - or tools by attackers. It leverages Windows AppLocker event logs, aggregating application - launch counts over time and flagging those that significantly deviate from the norm. - This behavior is significant as it helps identify unusual application activity that - could signal a security threat. If confirmed malicious, this activity could allow - attackers to execute unauthorized code, potentially leading to further compromise - of the system. -search: '`applocker` | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer - as dest, TargetUser AS user | stats dc(_time) as days, count by FullFilePath dest - user | eventstats avg(count) as avg, stdev(count) as stdev | eval upperBound=(avg+stdev*3), - lowerBound=(avg-stdev*3) | where count > upperBound OR count < lowerBound | `windows_applocker_rare_application_launch_detection_filter`' -how_to_implement: The analytic is designed to be run against Windows AppLocker event - logs collected from endpoints with AppLocker enabled. If using Microsoft Defender - for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match - the block events for AppLocker. The analytic requires the AppLocker event logs to - be ingested into Splunk. Note that, an additional method to reduce any false positives - would be to add the specific EventCodes - 8003 or 8004 and filter from there. -known_false_positives: False positives are possible if legitimate users are launching - applications that are not permitted by AppLocker. It is recommended to investigate - the context of the application launch to determine if it is malicious or not. Modify - the threshold as needed to reduce false positives. +description: The following analytic detects the launch of rarely used applications within the environment, which may indicate the use of potentially malicious software or tools by attackers. It leverages Windows AppLocker event logs, aggregating application launch counts over time and flagging those that significantly deviate from the norm. This behavior is significant as it helps identify unusual application activity that could signal a security threat. If confirmed malicious, this activity could allow attackers to execute unauthorized code, potentially leading to further compromise of the system. +search: '`applocker` | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user | stats dc(_time) as days, count by FullFilePath dest user | eventstats avg(count) as avg, stdev(count) as stdev | eval upperBound=(avg+stdev*3), lowerBound=(avg-stdev*3) | where count > upperBound OR count < lowerBound | `windows_applocker_rare_application_launch_detection_filter`' +how_to_implement: The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. Note that, an additional method to reduce any false positives would be to add the specific EventCodes - 8003 or 8004 and filter from there. +known_false_positives: False positives are possible if legitimate users are launching applications that are not permitted by AppLocker. It is recommended to investigate the context of the application launch to determine if it is malicious or not. Modify the threshold as needed to reduce false positives. references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting @@ -37,8 +19,7 @@ tags: asset_type: Endpoint confidence: 30 impact: 50 - message: An application launch that deviates from the norm was detected on a host - $dest$. + message: An application launch that deviates from the norm was detected on a host $dest$. mitre_attack_id: - T1218 observable: @@ -60,7 +41,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/applocker/applocker.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/applocker/applocker.log sourcetype: xmlwineventlog source: XmlWinEventLog:Microsoft-Windows-AppLocker/MSI and Script diff --git a/detections/endpoint/windows_archive_collected_data_via_powershell.yml b/detections/endpoint/windows_archive_collected_data_via_powershell.yml index eeb9ef23f0..50b16b4a37 100644 --- a/detections/endpoint/windows_archive_collected_data_via_powershell.yml +++ b/detections/endpoint/windows_archive_collected_data_via_powershell.yml @@ -14,12 +14,12 @@ known_false_positives: powershell may used this function to archive data. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_archive_collected_data_via_rar.yml b/detections/endpoint/windows_archive_collected_data_via_rar.yml index 167a655c82..d74800dee7 100644 --- a/detections/endpoint/windows_archive_collected_data_via_rar.yml +++ b/detections/endpoint/windows_archive_collected_data_via_rar.yml @@ -16,12 +16,12 @@ known_false_positives: user and network administrator can execute this command. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_autoit3_execution.yml b/detections/endpoint/windows_autoit3_execution.yml index 698c980bf8..330a726707 100644 --- a/detections/endpoint/windows_autoit3_execution.yml +++ b/detections/endpoint/windows_autoit3_execution.yml @@ -16,12 +16,12 @@ known_false_positives: False positives may be present if the application is legi references: - https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml index a7cab8ebca..ed8499e8bf 100644 --- a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml +++ b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml @@ -16,12 +16,12 @@ references: - https://blog.xpnsec.com/exploring-mimikatz-part-1/ - https://github.com/oxfemale/LogonCredentialsSteal/tree/master/lsass_lib drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml index d6b7bf6405..48ae936440 100644 --- a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml +++ b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml @@ -18,12 +18,12 @@ references: - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-1---mavinject---inject-dll-into-running-process drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml index dde3a0e080..293c5a51a0 100644 --- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml +++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1204/002/ - https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_bootloader_inventory.yml b/detections/endpoint/windows_bootloader_inventory.yml index e42050faa3..e32c7b076d 100644 --- a/detections/endpoint/windows_bootloader_inventory.yml +++ b/detections/endpoint/windows_bootloader_inventory.yml @@ -6,22 +6,10 @@ author: Michael Haag, Splunk status: experimental type: Hunting data_source: [] -description: The following analytic identifies the bootloader paths on Windows endpoints. - It leverages a PowerShell Scripted input to capture this data, which is then processed - and aggregated using Splunk. Monitoring bootloader paths is significant for a SOC - as it helps detect unauthorized modifications that could indicate bootkits or other - persistent threats. If confirmed malicious, such activity could allow attackers - to maintain persistence, bypass security controls, and potentially control the boot - process, leading to full system compromise. -search: '`bootloader_inventory` | stats count min(_time) as firstTime max(_time) as - lastTime values(_raw) by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_bootloader_inventory_filter`' -how_to_implement: To implement this analytic, a new stanza will need to be added to - a inputs.conf and deployed to all or some Windows endpoints. https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 - provides the stanza. If modifying the sourcetype, be sure to update the Macro for - this analytic. Recommend running it daily, or weekly, depending on threat model. -known_false_positives: No false positives here, only bootloaders. Filter as needed - or create a lookup as a baseline. +description: The following analytic identifies the bootloader paths on Windows endpoints. It leverages a PowerShell Scripted input to capture this data, which is then processed and aggregated using Splunk. Monitoring bootloader paths is significant for a SOC as it helps detect unauthorized modifications that could indicate bootkits or other persistent threats. If confirmed malicious, such activity could allow attackers to maintain persistence, bypass security controls, and potentially control the boot process, leading to full system compromise. +search: '`bootloader_inventory` | stats count min(_time) as firstTime max(_time) as lastTime values(_raw) by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bootloader_inventory_filter`' +how_to_implement: To implement this analytic, a new stanza will need to be added to a inputs.conf and deployed to all or some Windows endpoints. https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 provides the stanza. If modifying the sourcetype, be sure to update the Macro for this analytic. Recommend running it daily, or weekly, depending on threat model. +known_false_positives: No false positives here, only bootloaders. Filter as needed or create a lookup as a baseline. references: - https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ diff --git a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml index 96fd3990b7..c88cb997b8 100644 --- a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml +++ b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml @@ -17,12 +17,12 @@ references: - https://asec.ahnlab.com/en/17692/ - https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer. drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_cab_file_on_disk.yml b/detections/endpoint/windows_cab_file_on_disk.yml index c487fcaabc..2702cb574f 100644 --- a/detections/endpoint/windows_cab_file_on_disk.yml +++ b/detections/endpoint/windows_cab_file_on_disk.yml @@ -14,12 +14,12 @@ known_false_positives: False positives will only be present if a process legitim references: - https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml index 3eaa32bfb6..b7440814a3 100644 --- a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml +++ b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml @@ -18,12 +18,12 @@ references: - https://learn.microsoft.com/de-de/troubleshoot/windows-server/user-profiles-and-logon/cached-domain-logon-information - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml b/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml index 87a91c309f..d728f58be6 100644 --- a/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml +++ b/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml index 965b3fa124..6360fc8cab 100644 --- a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml +++ b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml @@ -16,12 +16,12 @@ references: - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml index 8a47b209ad..555712086c 100644 --- a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml +++ b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml @@ -18,12 +18,12 @@ references: - https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml index be28ef8509..0e1a115673 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml @@ -5,39 +5,14 @@ date: '2024-10-17' author: Teoderick Contreras, Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies path traversal command-line executions, - leveraging data from Endpoint Detection and Response (EDR) agents. It detects patterns - in command-line arguments indicative of path traversal techniques, such as multiple - instances of "/..", "\..", or "\\..". This activity is significant as it often indicates - attempts to evade defenses by executing malicious code, such as through msdt.exe. - If confirmed malicious, this behavior could allow attackers to execute arbitrary - code, potentially leading to system compromise, data exfiltration, or further lateral - movement within the network. +description: The following analytic identifies path traversal command-line executions, leveraging data from Endpoint Detection and Response (EDR) agents. It detects patterns in command-line arguments indicative of path traversal techniques, such as multiple instances of "/..", "\..", or "\\..". This activity is significant as it often indicates attempts to evade defenses by executing malicious code, such as through msdt.exe. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Processes by Processes.original_file_name Processes.process_id - Processes.parent_process_id Processes.process_hash Processes.dest Processes.user - Processes.parent_process_name Processes.process_name Processes.process | `drop_dm_object_name("Processes")` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval - count_of_pattern1 = (mvcount(split(process,"/.."))-1) | eval count_of_pattern2 = - (mvcount(split(process,"\.."))-1) | eval count_of_pattern3 = (mvcount(split(process,"\\.."))-1) - | eval count_of_pattern4 = (mvcount(split(process,"//.."))-1) | search count_of_pattern1 - > 1 OR count_of_pattern2 > 1 OR count_of_pattern3 > 1 OR count_of_pattern4 > 1 | - `windows_command_and_scripting_interpreter_hunting_path_traversal_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: false positive may vary depends on the score you want to check. - The bigger number of path traversal string count the better. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval count_of_pattern1 = (mvcount(split(process,"/.."))-1) | eval count_of_pattern2 = (mvcount(split(process,"\.."))-1) | eval count_of_pattern3 = (mvcount(split(process,"\\.."))-1) | eval count_of_pattern4 = (mvcount(split(process,"//.."))-1) | search count_of_pattern1 > 1 OR count_of_pattern2 > 1 OR count_of_pattern3 > 1 OR count_of_pattern4 > 1 | `windows_command_and_scripting_interpreter_hunting_path_traversal_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: false positive may vary depends on the score you want to check. The bigger number of path traversal string count the better. references: - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ tags: @@ -47,8 +22,7 @@ tags: asset_type: Endpoint confidence: 60 impact: 60 - message: A parent process $parent_process_name$ has spawned a child $process_name$ - with path traversal commandline $process$ in $dest$ + message: A parent process $parent_process_name$ has spawned a child $process_name$ with path traversal commandline $process$ in $dest$ mitre_attack_id: - T1059 observable: @@ -78,8 +52,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml index 340e0d7ddf..9c3cfe53af 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml @@ -16,12 +16,12 @@ known_false_positives: Not known at this moment. references: - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml index 4ba0666fe2..9a3a12023d 100644 --- a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml +++ b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml @@ -18,12 +18,12 @@ references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat - https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_command_shell_fetch_env_variables.yml b/detections/endpoint/windows_command_shell_fetch_env_variables.yml index 48c13075dd..37d5515237 100644 --- a/detections/endpoint/windows_command_shell_fetch_env_variables.yml +++ b/detections/endpoint/windows_command_shell_fetch_env_variables.yml @@ -16,12 +16,12 @@ known_false_positives: shell process that are not included in this search may ca references: - https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml index 2be2679bc4..b96b349845 100644 --- a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml +++ b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml @@ -14,12 +14,12 @@ references: - https://www.splunk.com/en_us/blog/security/from-macros-to-no-macros-continuous-malware-improvements-by-qakbot.html - https://www.splunk.com/en_us/blog/security/dark-crystal-rat-agent-deep-dive.html drilldown_searches: -- name: View the detection results for $risk_object$ - search: '%original_detection_search% | search risk_object = $risk_object$' +- name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $risk_object$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($risk_object$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_computer_account_created_by_computer_account.yml b/detections/endpoint/windows_computer_account_created_by_computer_account.yml index e095b3be0d..f87e60cb45 100644 --- a/detections/endpoint/windows_computer_account_created_by_computer_account.yml +++ b/detections/endpoint/windows_computer_account_created_by_computer_account.yml @@ -15,12 +15,12 @@ references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/445e4499-7e49-4f2a-8d82-aaf2d1ee3c47 - https://github.com/Dec0ne/KrbRelayUp drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml b/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml index 5332d9283a..5d9c9d7b3e 100644 --- a/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml +++ b/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml @@ -14,12 +14,12 @@ known_false_positives: It is possible false positives will be present based on t references: - https://github.com/Dec0ne/KrbRelayUp drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_computer_account_with_spn.yml b/detections/endpoint/windows_computer_account_with_spn.yml index 2f8cf664c2..f9fad548d7 100644 --- a/detections/endpoint/windows_computer_account_with_spn.yml +++ b/detections/endpoint/windows_computer_account_with_spn.yml @@ -15,12 +15,12 @@ references: - https://www.trustedsec.com/blog/an-attack-path-mapping-approach-to-cves-2021-42287-and-2021-42278 - https://github.com/Dec0ne/KrbRelayUp drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_conhost_with_headless_argument.yml b/detections/endpoint/windows_conhost_with_headless_argument.yml index 62b6af235e..efae2991f8 100644 --- a/detections/endpoint/windows_conhost_with_headless_argument.yml +++ b/detections/endpoint/windows_conhost_with_headless_argument.yml @@ -17,12 +17,12 @@ references: - https://x.com/embee_research/status/1559410767564181504?s=20 - https://x.com/GroupIB_TI/status/1719675754886131959?s=20 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_create_local_account.yml b/detections/endpoint/windows_create_local_account.yml index e516594f8e..28855abc84 100644 --- a/detections/endpoint/windows_create_local_account.yml +++ b/detections/endpoint/windows_create_local_account.yml @@ -13,12 +13,12 @@ known_false_positives: It is possible that an administrator created the account. references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml index 422a92b5d1..5541816c2a 100644 --- a/detections/endpoint/windows_credential_access_from_browser_password_store.yml +++ b/detections/endpoint/windows_credential_access_from_browser_password_store.yml @@ -15,12 +15,12 @@ references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger - https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml index 16e6cb3c06..15be7ea770 100644 --- a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml +++ b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml @@ -16,12 +16,12 @@ known_false_positives: False positives may be present if an application is dumpi references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-11---dump-lsass-with-createdumpexe-from-net-v5 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml index 5383e9f490..a884905d73 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml @@ -14,12 +14,12 @@ known_false_positives: Uninstall chrome browser extension application may access references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index 111ef9f28e..b0659b5501 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -14,12 +14,12 @@ known_false_positives: Uninstall chrome application may access this file and fol references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index 954ce4dad4..712058798b 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -14,12 +14,12 @@ known_false_positives: Uninstall application may access this registry to remove references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_credentials_from_password_stores_creation.yml b/detections/endpoint/windows_credentials_from_password_stores_creation.yml index 1c7a486b8f..0304e3c50c 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_creation.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_creation.yml @@ -16,12 +16,12 @@ known_false_positives: network administrator can use this tool for auditing proc references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml index 01e1bb1a9c..c188847697 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml @@ -16,12 +16,12 @@ known_false_positives: network administrator can use this tool for auditing proc references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_credentials_from_password_stores_query.yml b/detections/endpoint/windows_credentials_from_password_stores_query.yml index aba5d11035..7e9de9347e 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_query.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_query.yml @@ -18,12 +18,12 @@ references: - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_credentials_in_registry_reg_query.yml b/detections/endpoint/windows_credentials_in_registry_reg_query.yml index 588687f379..b1ef7baa6f 100644 --- a/detections/endpoint/windows_credentials_in_registry_reg_query.yml +++ b/detections/endpoint/windows_credentials_in_registry_reg_query.yml @@ -18,12 +18,12 @@ references: - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_curl_download_to_suspicious_path.yml b/detections/endpoint/windows_curl_download_to_suspicious_path.yml index baaefc1c4c..c1c899e3d2 100644 --- a/detections/endpoint/windows_curl_download_to_suspicious_path.yml +++ b/detections/endpoint/windows_curl_download_to_suspicious_path.yml @@ -18,12 +18,12 @@ references: - https://attack.mitre.org/techniques/T1105/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_curl_upload_to_remote_destination.yml b/detections/endpoint/windows_curl_upload_to_remote_destination.yml index ab40de3b3e..07874b6a6c 100644 --- a/detections/endpoint/windows_curl_upload_to_remote_destination.yml +++ b/detections/endpoint/windows_curl_upload_to_remote_destination.yml @@ -18,12 +18,12 @@ references: - https://techcommunity.microsoft.com/t5/containers/tar-and-curl-come-to-windows/ba-p/382409 - https://twitter.com/d1r4c/status/1279042657508081664?s=20 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml index 25cffb0859..fcd65f925e 100644 --- a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml +++ b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml @@ -15,12 +15,12 @@ known_false_positives: The uninstallation of a large software application or the references: - https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_debugger_tool_execution.yml b/detections/endpoint/windows_debugger_tool_execution.yml index 61ce728962..08c6495c63 100644 --- a/detections/endpoint/windows_debugger_tool_execution.yml +++ b/detections/endpoint/windows_debugger_tool_execution.yml @@ -6,26 +6,9 @@ author: Teoderick Contreras, Splunk data_source: [] type: Hunting status: production -description: This analysis detects the use of debugger tools within a production environment. - While these tools are legitimate for file analysis and debugging, they are abused by malware - like PlugX and DarkGate for malicious DLL side-loading. The hunting query aids Security Operations Centers (SOCs) - in identifying potentially suspicious tool executions, particularly for non-technical users in the production network. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name = "x32dbg.exe" OR Processes.process_name = "x64dbg.exe" OR Processes.process_name = "windbg.exe" - by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_debugger_tool_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +description: This analysis detects the use of debugger tools within a production environment. While these tools are legitimate for file analysis and debugging, they are abused by malware like PlugX and DarkGate for malicious DLL side-loading. The hunting query aids Security Operations Centers (SOCs) in identifying potentially suspicious tool executions, particularly for non-technical users in the production network. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "x32dbg.exe" OR Processes.process_name = "x64dbg.exe" OR Processes.process_name = "windbg.exe" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_debugger_tool_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: administrator or IT professional may execute this application for verifying files or debugging application. references: - https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html diff --git a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml index 7049c2a138..aa34f4214a 100644 --- a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml +++ b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml @@ -17,12 +17,12 @@ references: - https://forums.ivanti.com/s/article/Wallpaper-Windows-Settings-Desktop-Settings-and-the-transcodedwallpaper-jpg?language=en_US - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_sifreli.a drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_default_group_policy_object_modified.yml b/detections/endpoint/windows_default_group_policy_object_modified.yml index 10b57b00dd..bc24c42541 100644 --- a/detections/endpoint/windows_default_group_policy_object_modified.yml +++ b/detections/endpoint/windows_default_group_policy_object_modified.yml @@ -17,12 +17,12 @@ references: - https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/ - https://adsecurity.org/?p=2716 drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml index 230a10d752..f542d76204 100644 --- a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml +++ b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml @@ -20,12 +20,12 @@ references: - https://adsecurity.org/?p=2716 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11) drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_defender_asr_audit_events.yml b/detections/endpoint/windows_defender_asr_audit_events.yml index c24f9ef5a5..28ac443b52 100644 --- a/detections/endpoint/windows_defender_asr_audit_events.yml +++ b/detections/endpoint/windows_defender_asr_audit_events.yml @@ -18,12 +18,12 @@ known_false_positives: False positives are expected from legitimate applications references: - https://asrgen.streamlit.app/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_defender_asr_block_events.yml b/detections/endpoint/windows_defender_asr_block_events.yml index fe13a71988..53e8204af3 100644 --- a/detections/endpoint/windows_defender_asr_block_events.yml +++ b/detections/endpoint/windows_defender_asr_block_events.yml @@ -18,12 +18,12 @@ known_false_positives: False positives are expected from legitimate applications references: - https://asrgen.streamlit.app/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_defender_asr_registry_modification.yml b/detections/endpoint/windows_defender_asr_registry_modification.yml index 0281beed78..9b961070a3 100644 --- a/detections/endpoint/windows_defender_asr_registry_modification.yml +++ b/detections/endpoint/windows_defender_asr_registry_modification.yml @@ -7,33 +7,10 @@ status: production type: Hunting data_source: - Windows Event Log Defender 5007 -description: 'The following analytic detects modifications to Windows Defender Attack - Surface Reduction (ASR) registry settings. It leverages Windows Defender Operational - logs, specifically EventCode 5007, to identify changes in ASR rules. This activity - is significant because ASR rules are designed to block actions commonly used by - malware to exploit systems. Unauthorized modifications to these settings could indicate - an attempt to weaken system defenses. If confirmed malicious, this could allow an - attacker to bypass security measures, leading to potential system compromise and - data breaches.' -search: '`ms_defender` EventCode IN (5007) - | rex field=New_Value "0x(?\\d+)$" - | rex field=Old_Value "0x(?\\d+)$" - | rex field=New_Value "Rules\\\\(?[A-Fa-f0-9\\-]+)\\s*=" - | eval New_Registry_Value=case(New_Registry_Value=="0", "Disabled", New_Registry_Value=="1", "Block", New_Registry_Value=="2", "Audit", New_Registry_Value=="6", "Warn") - | eval Old_Registry_Value=case(Old_Registry_Value=="0", "Disabled", Old_Registry_Value=="1", "Block", Old_Registry_Value=="2", "Audit", Old_Registry_Value=="6", "Warn") - | stats count min(_time) as firstTime max(_time) as lastTime by host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_ID - | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule - | `security_content_ctime(firstTime)`| rename host as dest | `security_content_ctime(lastTime)` - | `windows_defender_asr_registry_modification_filter`' -how_to_implement: The following analytic requires collection of Windows Defender Operational - logs in either XML or multi-line. To collect, setup a new input for the Windows - Defender Operational logs. In addition, it does require a lookup that maps the ID - to ASR Rule name. -known_false_positives: False positives are expected from legitimate applications generating - events that are similar to those generated by malicious activity. For example, Event - ID 5007 is generated when a process attempts to modify a registry key that is related - to ASR rules. This can be triggered by legitimate applications that attempt to modify - registry keys that are not blocked by ASR rules. +description: The following analytic detects modifications to Windows Defender Attack Surface Reduction (ASR) registry settings. It leverages Windows Defender Operational logs, specifically EventCode 5007, to identify changes in ASR rules. This activity is significant because ASR rules are designed to block actions commonly used by malware to exploit systems. Unauthorized modifications to these settings could indicate an attempt to weaken system defenses. If confirmed malicious, this could allow an attacker to bypass security measures, leading to potential system compromise and data breaches. +search: '`ms_defender` EventCode IN (5007) | rex field=New_Value "0x(?\\d+)$" | rex field=Old_Value "0x(?\\d+)$" | rex field=New_Value "Rules\\\\(?[A-Fa-f0-9\\-]+)\\s*=" | eval New_Registry_Value=case(New_Registry_Value=="0", "Disabled", New_Registry_Value=="1", "Block", New_Registry_Value=="2", "Audit", New_Registry_Value=="6", "Warn") | eval Old_Registry_Value=case(Old_Registry_Value=="0", "Disabled", Old_Registry_Value=="1", "Block", Old_Registry_Value=="2", "Audit", Old_Registry_Value=="6", "Warn") | stats count min(_time) as firstTime max(_time) as lastTime by host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_ID | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule | `security_content_ctime(firstTime)`| rename host as dest | `security_content_ctime(lastTime)` | `windows_defender_asr_registry_modification_filter`' +how_to_implement: The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. +known_false_positives: False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 5007 is generated when a process attempts to modify a registry key that is related to ASR rules. This can be triggered by legitimate applications that attempt to modify registry keys that are not blocked by ASR rules. references: - https://asrgen.streamlit.app/ tags: @@ -67,7 +44,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_registry.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_registry.log source: WinEventLog:Microsoft-Windows-Windows Defender/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_defender_asr_rule_disabled.yml b/detections/endpoint/windows_defender_asr_rule_disabled.yml index 5d51015986..e82fa727cd 100644 --- a/detections/endpoint/windows_defender_asr_rule_disabled.yml +++ b/detections/endpoint/windows_defender_asr_rule_disabled.yml @@ -14,12 +14,12 @@ known_false_positives: False positives may occur if applications are typically d references: - https://asrgen.streamlit.app/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_defender_asr_rules_stacking.yml b/detections/endpoint/windows_defender_asr_rules_stacking.yml index 57130122db..5deb196fbe 100644 --- a/detections/endpoint/windows_defender_asr_rules_stacking.yml +++ b/detections/endpoint/windows_defender_asr_rules_stacking.yml @@ -15,33 +15,10 @@ data_source: - Windows Event Log Defender 1133 - Windows Event Log Defender 1134 - Windows Event Log Defender 5007 -description: The following analytic identifies security events from Microsoft Defender, - focusing on Exploit Guard and Attack Surface Reduction (ASR) features. It detects - Event IDs 1121, 1126, 1131, and 1133 for blocked operations, and Event IDs 1122, - 1125, 1132, and 1134 for audit logs. Event ID 1129 indicates user overrides, while - Event ID 5007 signals configuration changes. This detection uses a lookup to correlate - ASR rule GUIDs with descriptive names. Monitoring these events is crucial for identifying - unauthorized operations, potential security breaches, and policy enforcement issues. - If confirmed malicious, attackers could bypass security measures, execute unauthorized - actions, or alter system configurations. -search: '`ms_defender` - EventCode IN (1121, 1122, 1125, 1126, 1129, 1131, 1132, 1133, 1134, 5007) - | stats count min(_time) as firstTime max(_time) as lastTime by host Parent_Commandline, Process_Name, Path, ID, EventCode - | lookup asr_rules ID OUTPUT ASR_Rule - | fillnull value=NULL - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest - | `windows_defender_asr_rules_stacking_filter`' -how_to_implement: The following analytic requires collection of Windows Defender Operational - logs in either XML or multi-line. To collect, setup a new input for the Windows - Defender Operational logs. In addition, it does require a lookup that maps the ID - to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore - the analytic will need to be modified for each type of event. The analytic can be - modified to look for specific ASR rules, or to look for specific Event IDs. EventID - 5007 is a change in the registry, and may be a false positive. This can be removed - from the search if desired. -known_false_positives: False positives are not expected with this analytic, since - it is a hunting analytic. It is meant to show the use of ASR rules and how they - can be used to detect malicious activity. +description: The following analytic identifies security events from Microsoft Defender, focusing on Exploit Guard and Attack Surface Reduction (ASR) features. It detects Event IDs 1121, 1126, 1131, and 1133 for blocked operations, and Event IDs 1122, 1125, 1132, and 1134 for audit logs. Event ID 1129 indicates user overrides, while Event ID 5007 signals configuration changes. This detection uses a lookup to correlate ASR rule GUIDs with descriptive names. Monitoring these events is crucial for identifying unauthorized operations, potential security breaches, and policy enforcement issues. If confirmed malicious, attackers could bypass security measures, execute unauthorized actions, or alter system configurations. +search: '`ms_defender` EventCode IN (1121, 1122, 1125, 1126, 1129, 1131, 1132, 1133, 1134, 5007) | stats count min(_time) as firstTime max(_time) as lastTime by host Parent_Commandline, Process_Name, Path, ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_rules_stacking_filter`' +how_to_implement: The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. The analytic can be modified to look for specific ASR rules, or to look for specific Event IDs. EventID 5007 is a change in the registry, and may be a false positive. This can be removed from the search if desired. +known_false_positives: False positives are not expected with this analytic, since it is a hunting analytic. It is meant to show the use of ASR rules and how they can be used to detect malicious activity. references: - https://asrgen.streamlit.app/ - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide @@ -82,7 +59,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_defender_operational.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_defender_operational.log source: WinEventLog:Microsoft-Windows-Windows Defender/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml index 409e59ebd1..416607e73d 100644 --- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml +++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml @@ -17,12 +17,12 @@ references: - https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/ - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_delete_or_modify_system_firewall.yml b/detections/endpoint/windows_delete_or_modify_system_firewall.yml index 2d725833aa..32e1a10c38 100644 --- a/detections/endpoint/windows_delete_or_modify_system_firewall.yml +++ b/detections/endpoint/windows_delete_or_modify_system_firewall.yml @@ -16,12 +16,12 @@ known_false_positives: Administrator may modify or delete firewall configuration references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml index 5733051649..de035375e4 100644 --- a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml +++ b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml @@ -15,12 +15,12 @@ known_false_positives: This detection can catch for third party application upda references: - https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_disable_change_password_through_registry.yml b/detections/endpoint/windows_disable_change_password_through_registry.yml index 9637bc0b13..53ccea6f2d 100644 --- a/detections/endpoint/windows_disable_change_password_through_registry.yml +++ b/detections/endpoint/windows_disable_change_password_through_registry.yml @@ -15,12 +15,12 @@ known_false_positives: This windows feature may implemented by administrator to references: - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml index 23c663a947..a32a24096c 100644 --- a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml +++ b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml @@ -16,12 +16,12 @@ references: - https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/ - https://heimdalsecurity.com/blog/fatalrat-targets-telegram/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_disable_logoff_button_through_registry.yml b/detections/endpoint/windows_disable_logoff_button_through_registry.yml index 3f2e8ccfbf..d46252a1c5 100644 --- a/detections/endpoint/windows_disable_logoff_button_through_registry.yml +++ b/detections/endpoint/windows_disable_logoff_button_through_registry.yml @@ -17,12 +17,12 @@ references: - https://malwiki.org/index.php?title=DigiPop.xp - https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_disable_memory_crash_dump.yml b/detections/endpoint/windows_disable_memory_crash_dump.yml index 5e303dc786..0ffb6633cc 100644 --- a/detections/endpoint/windows_disable_memory_crash_dump.yml +++ b/detections/endpoint/windows_disable_memory_crash_dump.yml @@ -16,12 +16,12 @@ references: - https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html - https://docs.microsoft.com/en-us/troubleshoot/windows-server/performance/memory-dump-file-options drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_disable_notification_center.yml b/detections/endpoint/windows_disable_notification_center.yml index d1946800b8..cda91935bf 100644 --- a/detections/endpoint/windows_disable_notification_center.yml +++ b/detections/endpoint/windows_disable_notification_center.yml @@ -15,12 +15,12 @@ known_false_positives: admin or user may choose to disable this windows features references: - https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml index ad83729fe6..b458094207 100644 --- a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml +++ b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml @@ -16,12 +16,12 @@ known_false_positives: Network administrator can use this application to kill pr references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml index d5d54e6983..93b72a101c 100644 --- a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml +++ b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml @@ -15,12 +15,12 @@ known_false_positives: This windows feature may implement by administrator in so references: - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml index d80b6f382a..ada5b7c1aa 100644 --- a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml +++ b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml @@ -19,12 +19,12 @@ references: - https://www.secureworks.com/research/bronze-union - https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml index 038dd86319..0637e0fd43 100644 --- a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml +++ b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml @@ -17,12 +17,12 @@ references: - https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis - https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_disableantispyware_registry.yml b/detections/endpoint/windows_disableantispyware_registry.yml index 6403eab24d..9c391d1087 100644 --- a/detections/endpoint/windows_disableantispyware_registry.yml +++ b/detections/endpoint/windows_disableantispyware_registry.yml @@ -15,12 +15,12 @@ known_false_positives: It is unusual to turn this feature off a Windows system s references: - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_diskcryptor_usage.yml b/detections/endpoint/windows_diskcryptor_usage.yml index c77372c86c..fc463028cc 100644 --- a/detections/endpoint/windows_diskcryptor_usage.yml +++ b/detections/endpoint/windows_diskcryptor_usage.yml @@ -5,36 +5,14 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the execution of DiskCryptor, identified - by the process names "dcrypt.exe" or "dcinst.exe". This detection leverages data - from Endpoint Detection and Response (EDR) agents, focusing on process names and - original file names. DiskCryptor is significant because adversaries use it to manually - encrypt disks during an operation, potentially leading to data inaccessibility. - If confirmed malicious, this activity could result in complete disk encryption, - causing data loss and operational disruption. Immediate investigation is required - to mitigate potential ransomware attacks. +description: The following analytic detects the execution of DiskCryptor, identified by the process names "dcrypt.exe" or "dcinst.exe". This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. DiskCryptor is significant because adversaries use it to manually encrypt disks during an operation, potentially leading to data inaccessibility. If confirmed malicious, this activity could result in complete disk encryption, causing data loss and operational disruption. Immediate investigation is required to mitigate potential ransomware attacks. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dcrypt.exe" - OR Processes.original_file_name=dcinst.exe) by Processes.dest Processes.user Processes.parent_process_name - Processes.process_name Processes.original_file_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_diskcryptor_usage_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: It is possible false positives may be present based on the - internal name dcinst.exe, filter as needed. It may be worthy to alert on the service - name. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dcrypt.exe" OR Processes.original_file_name=dcinst.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskcryptor_usage_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: It is possible false positives may be present based on the internal name dcinst.exe, filter as needed. It may be worthy to alert on the service name. references: - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/ - https://github.com/DavidXanatos/DiskCryptor @@ -44,8 +22,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to encrypt disks. + message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to encrypt disks. mitre_attack_id: - T1486 observable: @@ -87,7 +64,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/dcrypt/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/dcrypt/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_diskshadow_proxy_execution.yml b/detections/endpoint/windows_diskshadow_proxy_execution.yml index 04b98b7215..4a83a41826 100644 --- a/detections/endpoint/windows_diskshadow_proxy_execution.yml +++ b/detections/endpoint/windows_diskshadow_proxy_execution.yml @@ -16,12 +16,12 @@ known_false_positives: Administrators using the DiskShadow tool in their infrast references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_dism_install_powershell_web_access.yml b/detections/endpoint/windows_dism_install_powershell_web_access.yml index 2b77171527..bd6bea68a1 100644 --- a/detections/endpoint/windows_dism_install_powershell_web_access.yml +++ b/detections/endpoint/windows_dism_install_powershell_web_access.yml @@ -16,12 +16,12 @@ references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_dism_remove_defender.yml b/detections/endpoint/windows_dism_remove_defender.yml index a0bb5a6746..632220d18c 100644 --- a/detections/endpoint/windows_dism_remove_defender.yml +++ b/detections/endpoint/windows_dism_remove_defender.yml @@ -16,12 +16,12 @@ known_false_positives: Some legitimate administrative tools leverage `dism.exe` references: - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml index b5551e76a2..d9ee423c66 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml @@ -5,26 +5,12 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies potential DLL search order hijacking - or DLL sideloading by detecting known Windows libraries loaded from non-standard - directories. It leverages Sysmon EventCode 7 to monitor DLL loads and cross-references - them with a lookup of known hijackable libraries. This activity is significant as - it may indicate an attempt to execute malicious code by exploiting DLL search order - vulnerabilities. If confirmed malicious, this could allow attackers to gain code - execution, escalate privileges, or maintain persistence within the environment. +description: The following analytic identifies potential DLL search order hijacking or DLL sideloading by detecting known Windows libraries loaded from non-standard directories. It leverages Sysmon EventCode 7 to monitor DLL loads and cross-references them with a lookup of known hijackable libraries. This activity is significant as it may indicate an attempt to execute malicious code by exploiting DLL search order vulnerabilities. If confirmed malicious, this could allow attackers to gain code execution, escalate privileges, or maintain persistence within the environment. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 NOT (process_path IN ("*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*")) - | lookup hijacklibs library AS loaded_file OUTPUT islibrary | search islibrary = - True | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) - as process_name by _time dest loaded_file | `windows_dll_search_order_hijacking_hunt_with_sysmon_filter`' -how_to_implement: The search is written against the latest Sysmon TA 4.0 https://splunkbase.splunk.com/app/5709. - For this specific event ID 7, the sysmon TA will extract the ImageLoaded name to - the loaded_file field which is used in the search to compare against the hijacklibs - lookup. -known_false_positives: False positives will be present based on paths. Filter or add - other paths to the exclusion as needed. Some applications may legitimately load - libraries from non-standard paths. +search: '`sysmon` EventCode=7 NOT (process_path IN ("*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*")) | lookup hijacklibs library AS loaded_file OUTPUT islibrary | search islibrary = True | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name by _time dest loaded_file | `windows_dll_search_order_hijacking_hunt_with_sysmon_filter`' +how_to_implement: The search is written against the latest Sysmon TA 4.0 https://splunkbase.splunk.com/app/5709. For this specific event ID 7, the sysmon TA will extract the ImageLoaded name to the loaded_file field which is used in the search to compare against the hijacklibs lookup. +known_false_positives: False positives will be present based on paths. Filter or add other paths to the exclusion as needed. Some applications may legitimately load libraries from non-standard paths. references: - https://hijacklibs.net tags: @@ -58,8 +44,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml index abd8e3d61f..aabd8c17cf 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml @@ -17,12 +17,12 @@ references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC - https://github.com/422926799/csplugin/tree/master/bypassUAC drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_dll_side_loading_in_calc.yml b/detections/endpoint/windows_dll_side_loading_in_calc.yml index e4118ad8f2..8865f519f8 100644 --- a/detections/endpoint/windows_dll_side_loading_in_calc.yml +++ b/detections/endpoint/windows_dll_side_loading_in_calc.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://www.bitdefender.com/blog/hotforsecurity/new-qakbot-malware-strain-replaces-windows-calculator-dll-to-infected-pcs/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml index 5429fc2ecc..7756b8d365 100644 --- a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml +++ b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_dns_gather_network_info.yml b/detections/endpoint/windows_dns_gather_network_info.yml index b855957508..166dba229f 100644 --- a/detections/endpoint/windows_dns_gather_network_info.yml +++ b/detections/endpoint/windows_dns_gather_network_info.yml @@ -17,12 +17,12 @@ references: - https://cert.gov.ua/article/3718487 - https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_dnsadmins_new_member_added.yml b/detections/endpoint/windows_dnsadmins_new_member_added.yml index 0e5acb0faf..1ad888380e 100644 --- a/detections/endpoint/windows_dnsadmins_new_member_added.yml +++ b/detections/endpoint/windows_dnsadmins_new_member_added.yml @@ -17,12 +17,12 @@ references: - https://www.hackingarticles.in/windows-privilege-escalation-dnsadmins-to-domainadmin/ - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732 drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml b/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml index 7922fb3c29..1568e7f42e 100644 --- a/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml +++ b/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml @@ -14,12 +14,12 @@ known_false_positives: Administrators may leverage PowerView for legitimate purp references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml index 9105d2603e..d914bab0d1 100644 --- a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml +++ b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml @@ -17,12 +17,12 @@ references: - https://github.com/GhostPack/Rubeus/pull/136 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4627 drilldown_searches: -- name: View the detection results for $TargetUserName$ - search: '%original_detection_search% | search TargetUserName = $TargetUserName$' +- name: View the detection results for - "$TargetUserName$" + search: '%original_detection_search% | search TargetUserName = "$TargetUserName$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $TargetUserName$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($TargetUserName$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$TargetUserName$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$TargetUserName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml index c286dc9ad4..6a2d52948a 100644 --- a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml +++ b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml @@ -19,12 +19,12 @@ references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_driver_inventory.yml b/detections/endpoint/windows_driver_inventory.yml index a184014789..b5f5e7b05b 100644 --- a/detections/endpoint/windows_driver_inventory.yml +++ b/detections/endpoint/windows_driver_inventory.yml @@ -5,20 +5,11 @@ date: '2024-10-17' author: Michael Haag, Splunk status: experimental type: Hunting -description: The following analytic identifies drivers being loaded across the fleet. - It leverages a PowerShell script input deployed to critical systems to capture driver - data. This detection is significant as it helps monitor for unauthorized or malicious - drivers that could compromise system integrity. If confirmed malicious, such drivers - could allow attackers to execute arbitrary code, escalate privileges, or maintain - persistence within the environment. +description: The following analytic identifies drivers being loaded across the fleet. It leverages a PowerShell script input deployed to critical systems to capture driver data. This detection is significant as it helps monitor for unauthorized or malicious drivers that could compromise system integrity. If confirmed malicious, such drivers could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment. data_source: [] -search: '`driverinventory` | stats values(Path) min(_time) as firstTime max(_time) - as lastTime count by host DriverType | rename host as dest | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_driver_inventory_filter`' -how_to_implement: To capture the drivers by host, utilize the referenced Gist to create - the inputs, props and transforms. Otherwise, this hunt query will not work. -known_false_positives: Filter and modify the analytic as you'd like. Filter based - on path. Remove the system32\drivers and look for non-standard paths. +search: '`driverinventory` | stats values(Path) min(_time) as firstTime max(_time) as lastTime count by host DriverType | rename host as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_inventory_filter`' +how_to_implement: To capture the drivers by host, utilize the referenced Gist to create the inputs, props and transforms. Otherwise, this hunt query will not work. +known_false_positives: Filter and modify the analytic as you'd like. Filter based on path. Remove the system32\drivers and look for non-standard paths. references: - https://gist.github.com/MHaggis/3e4dc85c69b3f7a4595a06c8a692f244 tags: @@ -49,8 +40,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/driver_inventory.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/driver_inventory.log source: PwSh:DriverInventory sourcetype: PwSh:DriverInventory update_timestamp: true diff --git a/detections/endpoint/windows_driver_load_non_standard_path.yml b/detections/endpoint/windows_driver_load_non_standard_path.yml index a15e7c5be3..93264b892e 100644 --- a/detections/endpoint/windows_driver_load_non_standard_path.yml +++ b/detections/endpoint/windows_driver_load_non_standard_path.yml @@ -16,12 +16,12 @@ references: - https://attack.mitre.org/techniques/T1014/ - https://www.fuzzysecurity.com/tutorials/28.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_drivers_loaded_by_signature.yml b/detections/endpoint/windows_drivers_loaded_by_signature.yml index 081f29f24a..c93389b598 100644 --- a/detections/endpoint/windows_drivers_loaded_by_signature.yml +++ b/detections/endpoint/windows_drivers_loaded_by_signature.yml @@ -5,26 +5,12 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies all drivers being loaded on Windows - systems using Sysmon EventCode 6 (Driver Load). It leverages fields such as driver - path, signature status, and hash to detect potentially suspicious drivers. This - activity is significant for a SOC as malicious drivers can be used to gain kernel-level - access, bypass security controls, or persist in the environment. If confirmed malicious, - this activity could allow an attacker to execute arbitrary code with high privileges, - leading to severe system compromise and potential data exfiltration. +description: The following analytic identifies all drivers being loaded on Windows systems using Sysmon EventCode 6 (Driver Load). It leverages fields such as driver path, signature status, and hash to detect potentially suspicious drivers. This activity is significant for a SOC as malicious drivers can be used to gain kernel-level access, bypass security controls, or persist in the environment. If confirmed malicious, this activity could allow an attacker to execute arbitrary code with high privileges, leading to severe system compromise and potential data exfiltration. data_source: - Sysmon EventID 6 -search: '`sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime - values(ImageLoaded) count by dest Signed Signature service_signature_verified service_signature_exists - Hashes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_drivers_loaded_by_signature_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have the latest version of the Sysmon - TA. Most EDR products provide the ability to review driver loads, or module loads, - and using a query as such help with hunting for malicious drivers. -known_false_positives: This analytic is meant to assist with identifying drivers loaded - in the environment and not to be setup for notables off the bat. +search: '`sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) count by dest Signed Signature service_signature_verified service_signature_exists Hashes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_drivers_loaded_by_signature_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have the latest version of the Sysmon TA. Most EDR products provide the ability to review driver loads, or module loads, and using a query as such help with hunting for malicious drivers. +known_false_positives: This analytic is meant to assist with identifying drivers loaded in the environment and not to be setup for notables off the bat. references: - https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ - https://attack.mitre.org/techniques/T1014/ @@ -65,7 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_enable_powershell_web_access.yml b/detections/endpoint/windows_enable_powershell_web_access.yml index 3564b9b46f..fb8dea6a41 100644 --- a/detections/endpoint/windows_enable_powershell_web_access.yml +++ b/detections/endpoint/windows_enable_powershell_web_access.yml @@ -15,12 +15,12 @@ references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml index 4c9c7f3c26..21285d3cda 100644 --- a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml +++ b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml @@ -16,12 +16,12 @@ references: - https://securityonline.info/wmiexec-regout-get-outputdata-response-from-registry/ - https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_esx_admins_group_creation_security_event.yml b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml index 123929c45e..a9f49f4fd4 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_security_event.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml @@ -18,12 +18,12 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ - https://www.securityweek.com/microsoft-says-ransomware-gangs-exploiting-just-patched-vmware-esxi-flaw/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml index 8fd70db1d4..3ec75a5970 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml @@ -16,12 +16,12 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ - https://www.securityweek.com/microsoft-says-ransomware-gangs-exploiting-just-patched-vmware-esxi-flaw/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml b/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml index 23c858b51c..12ac5d2287 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml @@ -16,12 +16,12 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ - https://www.securityweek.com/microsoft-says-ransomware-gangs-exploiting-just-patched-vmware-esxi-flaw/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_event_for_service_disabled.yml b/detections/endpoint/windows_event_for_service_disabled.yml index e625ca8df6..0668edd350 100644 --- a/detections/endpoint/windows_event_for_service_disabled.yml +++ b/detections/endpoint/windows_event_for_service_disabled.yml @@ -5,24 +5,12 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects when a Windows service is modified from - a start type to disabled. It leverages system event logs, specifically EventCode - 7040, to identify this change. This activity is significant because adversaries - often disable security or other critical services to evade detection and maintain - control over a compromised host. If confirmed malicious, this action could allow - attackers to bypass security defenses, leading to further exploitation and persistence - within the environment. +description: The following analytic detects when a Windows service is modified from a start type to disabled. It leverages system event logs, specifically EventCode 7040, to identify this change. This activity is significant because adversaries often disable security or other critical services to evade detection and maintain control over a compromised host. If confirmed malicious, this action could allow attackers to bypass security defenses, leading to further exploitation and persistence within the environment. data_source: - Windows Event Log System 7040 -search: '`wineventlog_system` EventCode=7040 EventData_Xml="*disabled*" | stats count - min(_time) as firstTime max(_time) as lastTime by Computer EventCode Name UserID - service ServiceName | rename Computer as dest | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_event_for_service_disabled_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the Service name, Service File Name Service Start type, and Service Type - from your endpoints. -known_false_positives: Windows service update may cause this event. In that scenario, - filtering is needed. +search: '`wineventlog_system` EventCode=7040 EventData_Xml="*disabled*" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode Name UserID service ServiceName | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_for_service_disabled_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. +known_false_positives: Windows service update may cause this event. In that scenario, filtering is needed. references: - https://blog.talosintelligence.com/2018/02/olympic-destroyer.html tags: @@ -57,7 +45,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/windows_excessive_disabled_services_event/windows-xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/windows_excessive_disabled_services_event/windows-xml.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_event_log_cleared.yml b/detections/endpoint/windows_event_log_cleared.yml index 60a10c32d9..116e078f96 100644 --- a/detections/endpoint/windows_event_log_cleared.yml +++ b/detections/endpoint/windows_event_log_cleared.yml @@ -18,12 +18,12 @@ references: - https://attack.mitre.org/techniques/T1070/001/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml b/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml index 3cd9ec0575..a324abb208 100644 --- a/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml +++ b/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml @@ -5,24 +5,12 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies the creation or modification of Image - File Execution Options (IFEO) registry keys, detected via EventCode 3000 in the - Application channel. This detection leverages Windows Event Logs to monitor for - process names added to IFEO under specific registry paths. This activity is significant - as it can indicate attempts to set traps for process monitoring or debugging, often - used by attackers for persistence or evasion. If confirmed malicious, this could - allow an attacker to execute arbitrary code or manipulate process behavior, leading - to potential system compromise. +description: The following analytic identifies the creation or modification of Image File Execution Options (IFEO) registry keys, detected via EventCode 3000 in the Application channel. This detection leverages Windows Event Logs to monitor for process names added to IFEO under specific registry paths. This activity is significant as it can indicate attempts to set traps for process monitoring or debugging, often used by attackers for persistence or evasion. If confirmed malicious, this could allow an attacker to execute arbitrary code or manipulate process behavior, leading to potential system compromise. data_source: - Windows Event Log Application 3000 -search: '`wineventlog_application` EventCode=3000 | rename param1 AS "Process" param2 - AS "Exit_Code" | stats count min(_time) as firstTime max(_time) as lastTime by Process - Exit_Code dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_event_triggered_image_file_execution_options_injection_filter`' -how_to_implement: This analytic requires capturing the Windows Event Log Application - channel in XML. -known_false_positives: False positives may be present and tuning will be required - before turning into a TTP or notable. +search: '`wineventlog_application` EventCode=3000 | rename param1 AS "Process" param2 AS "Exit_Code" | stats count min(_time) as firstTime max(_time) as lastTime by Process Exit_Code dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_triggered_image_file_execution_options_injection_filter`' +how_to_implement: This analytic requires capturing the Windows Event Log Application channel in XML. +known_false_positives: False positives may be present and tuning will be required before turning into a TTP or notable. references: - https://blog.thinkst.com/2022/09/sensitive-command-token-so-much-offense.html - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit @@ -32,8 +20,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Windows eventcode 3000 triggered on $dest$ potentially indicating persistence - or a monitoring of a process has occurred. + message: Windows eventcode 3000 triggered on $dest$ potentially indicating persistence or a monitoring of a process has occurred. mitre_attack_id: - T1546.012 observable: @@ -56,8 +43,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-application.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-application.log source: XmlWinEventLog:Application sourcetype: XmlWinEventLog update_timestamp: true diff --git a/detections/endpoint/windows_excessive_disabled_services_event.yml b/detections/endpoint/windows_excessive_disabled_services_event.yml index 4435047ffd..b214091034 100644 --- a/detections/endpoint/windows_excessive_disabled_services_event.yml +++ b/detections/endpoint/windows_excessive_disabled_services_event.yml @@ -14,12 +14,12 @@ known_false_positives: Unknown references: - https://blog.talosintelligence.com/2018/02/olympic-destroyer.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_executable_in_loaded_modules.yml b/detections/endpoint/windows_executable_in_loaded_modules.yml index 6bc04b9ab9..da48443049 100644 --- a/detections/endpoint/windows_executable_in_loaded_modules.yml +++ b/detections/endpoint/windows_executable_in_loaded_modules.yml @@ -14,12 +14,12 @@ known_false_positives: unknown. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml index 7c55cf7850..8db0c9c9d6 100644 --- a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml +++ b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml @@ -21,12 +21,12 @@ references: - https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection - https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml b/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml index efc4efa763..cc9e87054c 100644 --- a/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml +++ b/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml @@ -15,12 +15,12 @@ references: - https://twitter.com/_CERT_UA/status/1620781684257091584 - https://cert.gov.ua/article/3761104 drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml b/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml index b7542cc6d4..a8eed0c0cf 100644 --- a/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml +++ b/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml @@ -15,12 +15,12 @@ references: - https://twitter.com/_CERT_UA/status/1620781684257091584 - https://cert.gov.ua/article/3761104 drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_export_certificate.yml b/detections/endpoint/windows_export_certificate.yml index 03322b831b..4b1e6c2e1e 100644 --- a/detections/endpoint/windows_export_certificate.yml +++ b/detections/endpoint/windows_export_certificate.yml @@ -14,12 +14,12 @@ known_false_positives: False positives may be generated based on an automated pr references: - https://atomicredteam.io/defense-evasion/T1553.004/#atomic-test-4---install-root-ca-on-windows drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_file_share_discovery_with_powerview.yml b/detections/endpoint/windows_file_share_discovery_with_powerview.yml index 1a6159e426..4c2410e198 100644 --- a/detections/endpoint/windows_file_share_discovery_with_powerview.yml +++ b/detections/endpoint/windows_file_share_discovery_with_powerview.yml @@ -16,12 +16,12 @@ references: - https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ - https://attack.mitre.org/techniques/T1135/ drilldown_searches: -- name: View the detection results for $Computer$ and $UserID$ - search: '%original_detection_search% | search Computer = $Computer$ UserID = $UserID$' +- name: View the detection results for - "$Computer$" and "$UserID$" + search: '%original_detection_search% | search Computer = "$Computer$" UserID = "$UserID$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ and $UserID$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$, $UserID$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" and "$UserID$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$UserID$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml index ab1d81daae..dbe9cecede 100644 --- a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml +++ b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml @@ -14,12 +14,12 @@ known_false_positives: third party application may use this network protocol as references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml index 2242e95cc2..2a2945b46f 100644 --- a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml +++ b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml @@ -14,12 +14,12 @@ known_false_positives: Unknown at this point references: - https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml index bbdc8e3ce1..15f4c2fb7c 100644 --- a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml +++ b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml @@ -16,12 +16,12 @@ known_false_positives: Unknown. It is possible some administrative scripts use I references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml index d9f465b0c2..bec9909d37 100644 --- a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml +++ b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml @@ -16,12 +16,12 @@ references: - https://attack.mitre.org/techniques/T1087/002/ - https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml index 0858837e5e..aa599a9e08 100644 --- a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml +++ b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml @@ -16,12 +16,12 @@ references: - https://attack.mitre.org/techniques/T1087/002/ - https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_findstr_gpp_discovery.yml b/detections/endpoint/windows_findstr_gpp_discovery.yml index 835f306747..e0029429f2 100644 --- a/detections/endpoint/windows_findstr_gpp_discovery.yml +++ b/detections/endpoint/windows_findstr_gpp_discovery.yml @@ -20,12 +20,12 @@ references: - https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/ - https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml index f1bf062e0e..dcd8d786ff 100644 --- a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml +++ b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml @@ -16,12 +16,12 @@ references: - https://attack.mitre.org/techniques/T1087/002/ - https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_gather_victim_host_information_camera.yml b/detections/endpoint/windows_gather_victim_host_information_camera.yml index 95e2338b5d..d469c4dff2 100644 --- a/detections/endpoint/windows_gather_victim_host_information_camera.yml +++ b/detections/endpoint/windows_gather_victim_host_information_camera.yml @@ -16,12 +16,12 @@ references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat - https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_gather_victim_identity_sam_info.yml b/detections/endpoint/windows_gather_victim_identity_sam_info.yml index 13011d8de8..e832fcc4cb 100644 --- a/detections/endpoint/windows_gather_victim_identity_sam_info.yml +++ b/detections/endpoint/windows_gather_victim_identity_sam_info.yml @@ -5,26 +5,12 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects processes loading the samlib.dll or samcli.dll - modules, which are often abused to access Security Account Manager (SAM) objects - or credentials on domain controllers. This detection leverages Sysmon EventCode - 7 to identify these DLLs being loaded outside typical system directories. Monitoring - this activity is crucial as it may indicate attempts to gather sensitive identity - information. If confirmed malicious, this behavior could allow attackers to obtain - credentials, escalate privileges, or further infiltrate the network. +description: The following analytic detects processes loading the samlib.dll or samcli.dll modules, which are often abused to access Security Account Manager (SAM) objects or credentials on domain controllers. This detection leverages Sysmon EventCode 7 to identify these DLLs being loaded outside typical system directories. Monitoring this activity is crucial as it may indicate attempts to gather sensitive identity information. If confirmed malicious, this behavior could allow attackers to obtain credentials, escalate privileges, or further infiltrate the network. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 (ImageLoaded = "*\\samlib.dll" AND OriginalFileName - = "samlib.dll") OR (ImageLoaded = "*\\samcli.dll" AND OriginalFileName = "SAMCLI.DLL") - AND NOT (Image IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) | stats - count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name - dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_gather_victim_identity_sam_info_filter`' -how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 - will add the ImageLoaded name to the process_name field, allowing this query to - work. Use as an example and implement for other products. -known_false_positives: this module can be loaded by a third party application. Filter - is needed. +search: '`sysmon` EventCode=7 (ImageLoaded = "*\\samlib.dll" AND OriginalFileName = "samlib.dll") OR (ImageLoaded = "*\\samcli.dll" AND OriginalFileName = "SAMCLI.DLL") AND NOT (Image IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_identity_sam_info_filter`' +how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. +known_false_positives: this module can be loaded by a third party application. Filter is needed. references: - https://redcanary.com/blog/active-breach-evading-defenses/ - https://strontic.github.io/xcyclopedia/library/samlib.dll-0BDF6351009F6EBA5BA7E886F23263B1.html @@ -34,8 +20,7 @@ tags: asset_type: Endpoint confidence: 30 impact: 30 - message: An instance of $dest$ that loads $ImageLoaded$ that are related to accessing - to SAM object information. + message: An instance of $dest$ that loads $ImageLoaded$ that are related to accessing to SAM object information. mitre_attack_id: - T1589.001 - T1589 @@ -61,8 +46,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/loading_samlib/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/loading_samlib/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml b/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml index 4eadc93195..3c218b411a 100644 --- a/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml +++ b/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml @@ -5,29 +5,12 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects processes attempting to connect to known - IP check web services. This behavior is identified using Sysmon EventCode 22 logs, - specifically monitoring DNS queries to services like "wtfismyip.com" and "ipinfo.io". - This activity is significant as it is commonly used by malware, such as Trickbot, - for reconnaissance to determine the infected machine's IP address. If confirmed - malicious, this could allow attackers to gather network information, aiding in further - attacks or lateral movement within the network. +description: The following analytic detects processes attempting to connect to known IP check web services. This behavior is identified using Sysmon EventCode 22 logs, specifically monitoring DNS queries to services like "wtfismyip.com" and "ipinfo.io". This activity is significant as it is commonly used by malware, such as Trickbot, for reconnaissance to determine the infected machine's IP address. If confirmed malicious, this could allow attackers to gather network information, aiding in further attacks or lateral movement within the network. data_source: - Sysmon EventID 22 -search: '`sysmon` EventCode=22 QueryName IN ("*wtfismyip.com", "*checkip.*", "*ipecho.net", - "*ipinfo.io", "*api.ipify.org", "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb", - "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org", - "*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net", "*iplogger.org*", "*ip-api.com*", - "*geoip.*", "*icanhazip.*") | stats min(_time) as firstTime max(_time) as lastTime count by Image - ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer - as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_gather_victim_network_info_through_ip_check_web_services_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, dns query name process path , and query ststus from - your endpoints like EventCode 22. If you are using Sysmon, you must have at least - version 12 of the Sysmon TA. -known_false_positives: Filter internet browser application to minimize the false positive - of this detection. +search: '`sysmon` EventCode=22 QueryName IN ("*wtfismyip.com", "*checkip.*", "*ipecho.net", "*ipinfo.io", "*api.ipify.org", "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org", "*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net", "*iplogger.org*", "*ip-api.com*", "*geoip.*", "*icanhazip.*") | stats min(_time) as firstTime max(_time) as lastTime count by Image ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_network_info_through_ip_check_web_services_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA. +known_false_positives: Filter internet browser application to minimize the false positive of this detection. references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ tags: @@ -67,8 +50,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml b/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml index b48aa0a585..787345751e 100644 --- a/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml +++ b/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml @@ -18,12 +18,12 @@ references: - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation - https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml index d276a6335b..9b319a1ab8 100644 --- a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml +++ b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml @@ -16,12 +16,12 @@ references: - https://attack.mitre.org/techniques/T1087/002/ - https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_group_policy_object_created.yml b/detections/endpoint/windows_group_policy_object_created.yml index 5ccfd4b747..e53ead572a 100644 --- a/detections/endpoint/windows_group_policy_object_created.yml +++ b/detections/endpoint/windows_group_policy_object_created.yml @@ -20,12 +20,12 @@ references: - https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/ - https://www.varonis.com/blog/group-policy-objects drilldown_searches: -- name: View the detection results for $User$ - search: '%original_detection_search% | search User = $User$' +- name: View the detection results for - "$User$" + search: '%original_detection_search% | search User = "$User$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $User$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($User$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$User$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$User$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_hidden_schedule_task_settings.yml b/detections/endpoint/windows_hidden_schedule_task_settings.yml index b676132cce..3d1ed6571c 100644 --- a/detections/endpoint/windows_hidden_schedule_task_settings.yml +++ b/detections/endpoint/windows_hidden_schedule_task_settings.yml @@ -15,12 +15,12 @@ references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://cert.gov.ua/article/39518 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_hide_notification_features_through_registry.yml b/detections/endpoint/windows_hide_notification_features_through_registry.yml index bbd8ea1e53..8db0b915fd 100644 --- a/detections/endpoint/windows_hide_notification_features_through_registry.yml +++ b/detections/endpoint/windows_hide_notification_features_through_registry.yml @@ -15,12 +15,12 @@ known_false_positives: unknown references: - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Ransom.Win32.ONALOCKER.A/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_high_file_deletion_frequency.yml b/detections/endpoint/windows_high_file_deletion_frequency.yml index bfdb586d9f..82439b25fe 100644 --- a/detections/endpoint/windows_high_file_deletion_frequency.yml +++ b/detections/endpoint/windows_high_file_deletion_frequency.yml @@ -17,12 +17,12 @@ references: - https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml index dfb1212675..c3fe83a959 100644 --- a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml +++ b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml b/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml index 5635a10a43..16e963298f 100644 --- a/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml @@ -5,26 +5,12 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies processes attempting to access Lsass.exe, - which may indicate credential dumping or applications needing credential access. - It leverages Sysmon EventCode 10 to detect such activities by analyzing fields like - TargetImage, GrantedAccess, and SourceImage. This behavior is significant as unauthorized - access to Lsass.exe can lead to credential theft, posing a severe security risk. - If confirmed malicious, attackers could gain access to sensitive credentials, potentially - leading to privilege escalation and further compromise of the environment. +description: The following analytic identifies processes attempting to access Lsass.exe, which may indicate credential dumping or applications needing credential access. It leverages Sysmon EventCode 10 to detect such activities by analyzing fields like TargetImage, GrantedAccess, and SourceImage. This behavior is significant as unauthorized access to Lsass.exe can lead to credential theft, posing a severe security risk. If confirmed malicious, attackers could gain access to sensitive credentials, potentially leading to privilege escalation and further compromise of the environment. data_source: - Sysmon EventID 10 -search: '`sysmon` EventCode=10 TargetImage=*lsass.exe | stats count min(_time) as - firstTime max(_time) as lastTime by dest, TargetImage, GrantedAccess, SourceImage, - SourceProcessId, SourceUser, TargetUser | `security_content_ctime(firstTime)` | - `security_content_ctime(lastTime)` | `windows_hunting_system_account_targeting_lsass_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required. -known_false_positives: False positives will occur based on GrantedAccess and SourceUser, - filter based on source image as needed. Utilize this hunting analytic to tune out - false positives in TTP or anomaly analytics. +search: '`sysmon` EventCode=10 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, GrantedAccess, SourceImage, SourceProcessId, SourceUser, TargetUser | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hunting_system_account_targeting_lsass_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required. +known_false_positives: False positives will occur based on GrantedAccess and SourceUser, filter based on source image as needed. Utilize this hunting analytic to tune out false positives in TTP or anomaly analytics. references: - https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump @@ -38,8 +24,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: A process, $SourceImage$, has requested access to LSASS on $dest$. Review - for further details. + message: A process, $SourceImage$, has requested access to LSASS on $dest$. Review for further details. mitre_attack_id: - T1003.001 - T1003 @@ -70,7 +55,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_identify_powershell_web_access_iis_pool.yml b/detections/endpoint/windows_identify_powershell_web_access_iis_pool.yml index 181a9898a9..30f42dcf65 100644 --- a/detections/endpoint/windows_identify_powershell_web_access_iis_pool.yml +++ b/detections/endpoint/windows_identify_powershell_web_access_iis_pool.yml @@ -8,27 +8,7 @@ data_sources: type: Hunting status: production description: This analytic detects and analyzes PowerShell Web Access (PSWA) usage in Windows environments. It tracks both connection attempts (EventID 4648) and successful logons (EventID 4624) associated with PSWA, providing a comprehensive view of access patterns. The analytic identifies PSWA's operational status, host servers, processes, and connection metrics. It highlights unique target accounts, domains accessed, and verifies logon types. This information is crucial for detecting potential misuse, such as lateral movement, brute force attempts, or unusual access patterns. By offering insights into PSWA activity, it enables security teams to quickly assess and investigate potential security incidents involving this powerful administrative tool. -search: '`wineventlog_security` (EventCode=4648 OR EventCode=4624 OR EventCode=4625) SubjectUserName="pswa_pool" - | fields EventCode, SubjectUserName, TargetUserName, Computer, TargetDomainName, ProcessName, LogonType - | rename Computer as dest - | stats - count(eval(EventCode=4648)) as "Connection Attempts", - count(eval(EventCode=4624)) as "Successful Logons", - count(eval(EventCode=4625)) as "Unsuccessful Logons", - dc(TargetUserName) as "Unique Target Accounts", - values(dest) as "PSWA Host", - dc(TargetDomainName) as "Unique Target Domains", - values(ProcessName) as "PSWA Process", - values(TargetUserName) as "Target Users List", - values(TargetServerName) as "Target Servers List", - values(LogonType) as "Logon Types" - | eval - PSWA_Running = "Yes", - "PSWA Process" = mvindex(split(mvindex("PSWA Process", 0), "\\"), -1) - | fields PSWA_Running, "PSWA Host", "PSWA Process", "Connection Attempts", "Successful Logons","Unsuccessful Logons", "Unique Target Accounts", "Unique Target Domains", "Target Users List","Target Servers List", "Logon Types" - | `security_content_ctime(firstTime)` - |`security_content_ctime(lastTime)` - | `windows_identify_powershell_web_access_iis_pool_filter`' +search: '`wineventlog_security` (EventCode=4648 OR EventCode=4624 OR EventCode=4625) SubjectUserName="pswa_pool" | fields EventCode, SubjectUserName, TargetUserName, Computer, TargetDomainName, ProcessName, LogonType | rename Computer as dest | stats count(eval(EventCode=4648)) as "Connection Attempts", count(eval(EventCode=4624)) as "Successful Logons", count(eval(EventCode=4625)) as "Unsuccessful Logons", dc(TargetUserName) as "Unique Target Accounts", values(dest) as "PSWA Host", dc(TargetDomainName) as "Unique Target Domains", values(ProcessName) as "PSWA Process", values(TargetUserName) as "Target Users List", values(TargetServerName) as "Target Servers List", values(LogonType) as "Logon Types" | eval PSWA_Running = "Yes", "PSWA Process" = mvindex(split(mvindex("PSWA Process", 0), "\\"), -1) | fields PSWA_Running, "PSWA Host", "PSWA Process", "Connection Attempts", "Successful Logons","Unsuccessful Logons", "Unique Target Accounts", "Unique Target Domains", "Target Users List","Target Servers List", "Logon Types" | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_identify_powershell_web_access_iis_pool_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event logs, specifically Event ID 4648 (A logon was attempted using explicit credentials). Ensure that your Windows systems are configured to audit logon events and that these logs are being forwarded to your SIEM or log management solution. You may need to enable advanced audit policy settings in Windows to capture these events. Additionally, make sure that your environment is set up to capture the necessary fields such as SubjectUserName, TargetUserName, Computer, TargetServerName, and ProcessName from these events. If you're using Splunk, ensure that you have the appropriate Windows TA installed and configured to collect these security logs. known_false_positives: False positives may occur if legitimate PSWA processes are used for administrative tasks. Careful review of the logs is recommended to distinguish between legitimate and malicious activity. references: diff --git a/detections/endpoint/windows_identify_protocol_handlers.yml b/detections/endpoint/windows_identify_protocol_handlers.yml index f8a961f56c..4372d816c0 100644 --- a/detections/endpoint/windows_identify_protocol_handlers.yml +++ b/detections/endpoint/windows_identify_protocol_handlers.yml @@ -5,35 +5,14 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: 'The following analytic identifies the use of protocol handlers executed - via the command line. It leverages data from Endpoint Detection and Response (EDR) - agents, focusing on process and command-line telemetry. This activity is significant - because protocol handlers can be exploited to execute arbitrary commands or launch - applications, potentially leading to unauthorized actions. If confirmed malicious, - an attacker could use this technique to gain code execution, escalate privileges, - or maintain persistence within the environment, posing a significant security risk.' +description: The following analytic identifies the use of protocol handlers executed via the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because protocol handlers can be exploited to execute arbitrary commands or launch applications, potentially leading to unauthorized actions. If confirmed malicious, an attacker could use this technique to gain code execution, escalate privileges, or maintain persistence within the environment, posing a significant security risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime values(Processes.process) as process values(Processes.parent_process) - as parent_process from datamodel=Endpoint.Processes by Processes.dest Processes.parent_process_name - Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup - windows_protocol_handlers handler AS process OUTPUT handler ishandler | where ishandler="TRUE" - | `windows_identify_protocol_handlers_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: False positives will be found. https and http is a URL Protocol - handler that will trigger this analytic. Tune based on process or command-line. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes by Processes.dest Processes.parent_process_name Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup windows_protocol_handlers handler AS process OUTPUT handler ishandler | where ishandler="TRUE" | `windows_identify_protocol_handlers_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives will be found. https and http is a URL Protocol handler that will trigger this analytic. Tune based on process or command-line. references: - https://gist.github.com/MHaggis/a0d3edb57d36e0916c94c0a464b2722e - https://www.oreilly.com/library/view/learning-java/1565927184/apas02.html @@ -50,8 +29,7 @@ tags: asset_type: Endpoint confidence: 20 impact: 30 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ utilizing a protocol handler. + message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing a protocol handler. mitre_attack_id: - T1059 observable: @@ -93,8 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/protocol_handlers/protocolhandlers.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/protocol_handlers/protocolhandlers.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_iis_components_add_new_module.yml b/detections/endpoint/windows_iis_components_add_new_module.yml index 27187b19e3..6a9fe8082f 100644 --- a/detections/endpoint/windows_iis_components_add_new_module.yml +++ b/detections/endpoint/windows_iis_components_add_new_module.yml @@ -21,12 +21,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004 - https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml b/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml index 0b9fd9eb06..2febc40bd3 100644 --- a/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml +++ b/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml @@ -5,23 +5,12 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies the execution of the PowerShell cmdlet - Get-WebGlobalModule, which lists all IIS Modules installed on a system. It leverages - PowerShell input data to detect this activity by capturing the module names and - the image paths of the DLLs. This activity is significant for a SOC because it can - indicate an attempt to enumerate installed IIS modules, which could be a precursor - to exploiting vulnerabilities or misconfigurations. If confirmed malicious, this - could allow an attacker to gain insights into the web server's configuration, potentially - leading to further exploitation or privilege escalation. +description: The following analytic identifies the execution of the PowerShell cmdlet Get-WebGlobalModule, which lists all IIS Modules installed on a system. It leverages PowerShell input data to detect this activity by capturing the module names and the image paths of the DLLs. This activity is significant for a SOC because it can indicate an attempt to enumerate installed IIS modules, which could be a precursor to exploiting vulnerabilities or misconfigurations. If confirmed malicious, this could allow an attacker to gain insights into the web server's configuration, potentially leading to further exploitation or privilege escalation. data_source: - Powershell Installed IIS Modules -search: '`iis_get_webglobalmodule` | stats count min(_time) as firstTime max(_time) - as lastTime by host name image | rename host as dest | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_iis_components_get_webglobalmodule_module_query_filter`' -how_to_implement: You must ingest the PwSh cmdlet Get-WebGlobalModule in order to - utilize this analytic. Follow https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040 -known_false_positives: This analytic is meant to assist with hunting modules across - a fleet of IIS servers. Filter and modify as needed. +search: '`iis_get_webglobalmodule` | stats count min(_time) as firstTime max(_time) as lastTime by host name image | rename host as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_get_webglobalmodule_module_query_filter`' +how_to_implement: You must ingest the PwSh cmdlet Get-WebGlobalModule in order to utilize this analytic. Follow https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040 +known_false_positives: This analytic is meant to assist with hunting modules across a fleet of IIS servers. Filter and modify as needed. references: - https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/MonitorWindowsdatawithPowerShellscripts - https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040 @@ -56,8 +45,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_installediismodules.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_installediismodules.log source: powershell://AppCmdModules sourcetype: Pwsh:InstalledIISModules update_timestamp: true diff --git a/detections/endpoint/windows_iis_components_module_failed_to_load.yml b/detections/endpoint/windows_iis_components_module_failed_to_load.yml index 048210af1c..1bcc9ddeae 100644 --- a/detections/endpoint/windows_iis_components_module_failed_to_load.yml +++ b/detections/endpoint/windows_iis_components_module_failed_to_load.yml @@ -20,12 +20,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004 - https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_iis_components_new_module_added.yml b/detections/endpoint/windows_iis_components_new_module_added.yml index e91eae585e..8c34e99e1e 100644 --- a/detections/endpoint/windows_iis_components_new_module_added.yml +++ b/detections/endpoint/windows_iis_components_new_module_added.yml @@ -20,12 +20,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004 - https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml b/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml index 8f5ea164dd..f3eb00a6db 100644 --- a/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml +++ b/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml @@ -5,36 +5,14 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the use of a PowerShell commandlet to - import an AppLocker XML policy. This behavior is identified by monitoring processes - that execute the "Import-Module Applocker" and "Set-AppLockerPolicy" commands with - the "-XMLPolicy" parameter. This activity is significant because it can indicate - an attempt to disable or bypass security controls, as seen in the Azorult malware. - If confirmed malicious, this could allow an attacker to disable antivirus products, - leading to further compromise and persistence within the environment. +description: The following analytic detects the use of a PowerShell commandlet to import an AppLocker XML policy. This behavior is identified by monitoring processes that execute the "Import-Module Applocker" and "Set-AppLockerPolicy" commands with the "-XMLPolicy" parameter. This activity is significant because it can indicate an attempt to disable or bypass security controls, as seen in the Azorult malware. If confirmed malicious, this could allow an attacker to disable antivirus products, leading to further compromise and persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process - min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where `process_powershell` AND Processes.process="*Import-Module Applocker*" AND - Processes.process="*Set-AppLockerPolicy *" AND Processes.process="* -XMLPolicy - *" by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_impair_defense_add_xml_applocker_rules_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Administrators may execute this command that may cause some - false positive. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` AND Processes.process="*Import-Module Applocker*" AND Processes.process="*Set-AppLockerPolicy *" AND Processes.process="* -XMLPolicy *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_add_xml_applocker_rules_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrators may execute this command that may cause some false positive. references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ tags: @@ -69,8 +47,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml index 33b958464d..16365ffe02 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml index 180ca079ef..110e191218 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml index 28b1ce1032..db6fdc1bb2 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml index 6e292d7f12..9311d81cbc 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml index 0e0b58777f..e4fd8d30c4 100644 --- a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml +++ b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml index c27ef208cc..4f3c32de30 100644 --- a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml +++ b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml index 3a8f4a04a2..7c1ddca49d 100644 --- a/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml +++ b/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml @@ -5,30 +5,13 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the deletion of the Windows Defender context - menu entry from the registry. It leverages data from the Endpoint datamodel, specifically - monitoring registry actions where the path includes "*\\shellex\\ContextMenuHandlers\\EPP" - and the action is 'deleted'. This activity is significant as it is commonly associated - with Remote Access Trojan (RAT) malware attempting to disable security features. - If confirmed malicious, this could allow an attacker to impair defenses, facilitating - further malicious activities such as unauthorized access, persistence, and data - exfiltration. +description: The following analytic detects the deletion of the Windows Defender context menu entry from the registry. It leverages data from the Endpoint datamodel, specifically monitoring registry actions where the path includes "*\\shellex\\ContextMenuHandlers\\EPP" and the action is 'deleted'. This activity is significant as it is commonly associated with Remote Access Trojan (RAT) malware attempting to disable security features. If confirmed malicious, this could allow an attacker to impair defenses, facilitating further malicious activities such as unauthorized access, persistence, and data exfiltration. data_source: -- Sysmon EventID 12 +- Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\shellex\\ContextMenuHandlers\\EPP" - Registry.action = deleted by Registry.registry_path Registry.registry_value_name - Registry.registry_value_data Registry.process_guid Registry.action Registry.dest - Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_context_menu_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: It is unusual to turn this feature off a Windows system since - it is a default security control, although it is not rare for some policies to disable - it. Although no false positives have been identified, use the provided filter macro - to tune the search. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\shellex\\ContextMenuHandlers\\EPP" Registry.action = deleted by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_context_menu_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. references: - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ - https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/ @@ -65,8 +48,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml index 92a87a2b73..61855e422f 100644 --- a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml +++ b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml @@ -16,12 +16,12 @@ references: - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ - https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml index 0907aa0877..14ed082b61 100644 --- a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml +++ b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml @@ -16,12 +16,12 @@ references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ - https://www.microsoftpressstore.com/articles/article.aspx?p=2228450&seqNum=11 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml index 9270893810..4c8b7bd899 100644 --- a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml +++ b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml index be9f9d403d..8ba421485a 100644 --- a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml +++ b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml index 25ef7bbea3..f9ca2eb107 100644 --- a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml +++ b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml index fc6404dc85..a7be75397f 100644 --- a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml +++ b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml index b54b2b61cb..ac5bad3cb0 100644 --- a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml +++ b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml index 17feb7e623..ecc4583494 100644 --- a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml +++ b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml index bc3cfac229..0b538ecd9a 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml index 0a99bc8e59..7ab6c284cf 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml index e352961b06..707b6e9d2e 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml index 80d523d918..13f66cd837 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml index c949482708..4ad3706628 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml index c4d0bda023..7314387e18 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml index 336f469b0d..87b559f94e 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml index 6dac8f01ca..0282f61043 100644 --- a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml +++ b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml index ee5d771405..f63e05df45 100644 --- a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml +++ b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml index c7c26c2d49..4526fc4a78 100644 --- a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml +++ b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml @@ -16,12 +16,12 @@ references: - https://x.com/malmoeb/status/1742604217989415386?s=20 - https://github.com/undergroundwires/privacy.sexy drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml b/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml index a78fcbc36f..99dc7b688d 100644 --- a/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml +++ b/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml @@ -15,12 +15,12 @@ references: - https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape - https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defenses_disable_hvci.yml b/detections/endpoint/windows_impair_defenses_disable_hvci.yml index eb7f963b4e..7f68d9c4fe 100644 --- a/detections/endpoint/windows_impair_defenses_disable_hvci.yml +++ b/detections/endpoint/windows_impair_defenses_disable_hvci.yml @@ -15,12 +15,12 @@ known_false_positives: False positives will be limited to administrative scripts references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml index a0f6eb965c..eaf0b880ae 100644 --- a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml +++ b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml @@ -16,12 +16,12 @@ references: - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ - https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_indicator_removal_via_rmdir.yml b/detections/endpoint/windows_indicator_removal_via_rmdir.yml index 40abb1c8cd..2144d86244 100644 --- a/detections/endpoint/windows_indicator_removal_via_rmdir.yml +++ b/detections/endpoint/windows_indicator_removal_via_rmdir.yml @@ -16,12 +16,12 @@ known_false_positives: user and network administrator can execute this command. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml index f86bb6d68a..5e78e63eff 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml @@ -17,12 +17,12 @@ references: - https://twitter.com/KyleHanslovan/status/912659279806640128 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/forfiles drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml index 7a3be8f872..0d53d3a046 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml @@ -17,12 +17,12 @@ references: - https://twitter.com/KyleHanslovan/status/912659279806640128 - https://lolbas-project.github.io/lolbas/Binaries/Pcalua/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml index c523887a16..1bb7c296e8 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml @@ -18,12 +18,12 @@ references: - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_information_discovery_fsutil.yml b/detections/endpoint/windows_information_discovery_fsutil.yml index 84c28ec91d..d89c3c02f0 100644 --- a/detections/endpoint/windows_information_discovery_fsutil.yml +++ b/detections/endpoint/windows_information_discovery_fsutil.yml @@ -18,12 +18,12 @@ references: - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml index e0a452fbee..9228603221 100644 --- a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml +++ b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml @@ -16,12 +16,12 @@ known_false_positives: False positives may be present based on legitimate applic references: - https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_inprocserver32_new_outlook_form.yml b/detections/endpoint/windows_inprocserver32_new_outlook_form.yml index d5cd399012..e7c32fc6aa 100644 --- a/detections/endpoint/windows_inprocserver32_new_outlook_form.yml +++ b/detections/endpoint/windows_inprocserver32_new_outlook_form.yml @@ -14,12 +14,12 @@ known_false_positives: False positives are possible if the organization adds new references: - https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml index 0dedcfc9a0..bcc723ae28 100644 --- a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml +++ b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml @@ -5,26 +5,12 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects a process loading the credui.dll or wincredui.dll - module. This detection leverages Sysmon EventCode 7 to identify instances where - these DLLs are loaded by processes outside typical system directories. This activity - is significant because adversaries often abuse these modules to create fake credential - prompts or dump credentials, posing a risk of credential theft. If confirmed malicious, - this activity could allow attackers to harvest user credentials, leading to unauthorized - access and potential lateral movement within the network. +description: The following analytic detects a process loading the credui.dll or wincredui.dll module. This detection leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes outside typical system directories. This activity is significant because adversaries often abuse these modules to create fake credential prompts or dump credentials, posing a risk of credential theft. If confirmed malicious, this activity could allow attackers to harvest user credentials, leading to unauthorized access and potential lateral movement within the network. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 (ImageLoaded = "*\\credui.dll" AND OriginalFileName - = "credui.dll") OR (ImageLoaded = "*\\wincredui.dll" AND OriginalFileName = "wincredui.dll") - AND NOT(Image IN("*\\windows\\explorer.exe", "*\\windows\\system32\\*", "*\\windows\\sysWow64\\*", - "*:\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime - by Image ImageLoaded OriginalFileName dest EventCode Signed ProcessId ProcessGuid - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_input_capture_using_credential_ui_dll_filter`' -how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 - will add the ImageLoaded name to the process_name field, allowing this query to - work. Use as an example and implement for other products. -known_false_positives: this module can be loaded by a third party application. Filter - is needed. +search: '`sysmon` EventCode=7 (ImageLoaded = "*\\credui.dll" AND OriginalFileName = "credui.dll") OR (ImageLoaded = "*\\wincredui.dll" AND OriginalFileName = "wincredui.dll") AND NOT(Image IN("*\\windows\\explorer.exe", "*\\windows\\system32\\*", "*\\windows\\sysWow64\\*", "*:\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName dest EventCode Signed ProcessId ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_input_capture_using_credential_ui_dll_filter`' +how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. +known_false_positives: this module can be loaded by a third party application. Filter is needed. references: - https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password @@ -61,8 +47,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_installutil_credential_theft.yml b/detections/endpoint/windows_installutil_credential_theft.yml index e7aa42e300..e49dd98b82 100644 --- a/detections/endpoint/windows_installutil_credential_theft.yml +++ b/detections/endpoint/windows_installutil_credential_theft.yml @@ -14,12 +14,12 @@ known_false_positives: Typically, this will not trigger because, by its very nat references: - https://gist.github.com/xorrior/bbac3919ca2aef8d924bdf3b16cce3d0 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_installutil_in_non_standard_path.yml b/detections/endpoint/windows_installutil_in_non_standard_path.yml index 1b2cb32619..2f246ae4c0 100644 --- a/detections/endpoint/windows_installutil_in_non_standard_path.yml +++ b/detections/endpoint/windows_installutil_in_non_standard_path.yml @@ -19,12 +19,12 @@ references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_installutil_remote_network_connection.yml b/detections/endpoint/windows_installutil_remote_network_connection.yml index 66bc365d1f..f469f3e1c3 100644 --- a/detections/endpoint/windows_installutil_remote_network_connection.yml +++ b/detections/endpoint/windows_installutil_remote_network_connection.yml @@ -14,12 +14,12 @@ known_false_positives: Limited false positives should be present as InstallUtil references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_installutil_uninstall_option.yml b/detections/endpoint/windows_installutil_uninstall_option.yml index f0b3c4566a..d865a51b17 100644 --- a/detections/endpoint/windows_installutil_uninstall_option.yml +++ b/detections/endpoint/windows_installutil_uninstall_option.yml @@ -18,12 +18,12 @@ references: - https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/md/Installutil.exe.md - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml index bdccb19ad0..6f904f9d01 100644 --- a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml +++ b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml @@ -16,12 +16,12 @@ references: - https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/md/Installutil.exe.md - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_installutil_url_in_command_line.yml b/detections/endpoint/windows_installutil_url_in_command_line.yml index 9f583890fb..1f27fc8cc3 100644 --- a/detections/endpoint/windows_installutil_url_in_command_line.yml +++ b/detections/endpoint/windows_installutil_url_in_command_line.yml @@ -17,12 +17,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md - https://gist.github.com/DanielRTeixeira/0fd06ec8f041f34a32bf5623c6dd479d drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_iso_lnk_file_creation.yml b/detections/endpoint/windows_iso_lnk_file_creation.yml index d210754871..a3f7c9b8dc 100644 --- a/detections/endpoint/windows_iso_lnk_file_creation.yml +++ b/detections/endpoint/windows_iso_lnk_file_creation.yml @@ -5,29 +5,12 @@ date: '2024-10-17' author: Michael Haag, Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the creation of .iso.lnk files in the - %USER%\AppData\Local\Temp\\ path, indicating that an ISO file - has been mounted and accessed. This detection leverages the Endpoint.Filesystem - data model, specifically monitoring file creation events in the Windows Recent folder. - This activity is significant as it may indicate the delivery and execution of potentially - malicious payloads via ISO files. If confirmed malicious, this could lead to unauthorized - code execution, data exfiltration, or further system compromise. +description: The following analytic detects the creation of .iso.lnk files in the %USER%\AppData\Local\Temp\\ path, indicating that an ISO file has been mounted and accessed. This detection leverages the Endpoint.Filesystem data model, specifically monitoring file creation events in the Windows Recent folder. This activity is significant as it may indicate the delivery and execution of potentially malicious payloads via ISO files. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further system compromise. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\Microsoft\\Windows\\Recent\\*") - Filesystem.file_name IN ("*.iso.lnk", "*.img.lnk", "*.vhd.lnk", "*vhdx.lnk") by - Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path - Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_iso_lnk_file_creation_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: False positives may be high depending on the environment and - consistent use of ISOs mounting. Restrict to servers, or filter out based on commonly - used ISO names. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\Microsoft\\Windows\\Recent\\*") Filesystem.file_name IN ("*.iso.lnk", "*.img.lnk", "*.vhd.lnk", "*vhdx.lnk") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iso_lnk_file_creation_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +known_false_positives: False positives may be high depending on the environment and consistent use of ISOs mounting. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed. references: - https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ - https://github.com/MHaggis/notes/blob/master/utilities/ISOBuilder.ps1 @@ -48,8 +31,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 80 - message: An ISO file was mounted on $dest$ and should be reviewed and filtered as - needed. + message: An ISO file was mounted on $dest$ and should be reviewed and filtered as needed. mitre_attack_id: - T1566.001 - T1566 @@ -75,7 +57,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.001/atomic_red_team/iso_windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.001/atomic_red_team/iso_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_java_spawning_shells.yml b/detections/endpoint/windows_java_spawning_shells.yml index 7142097a14..542814745e 100644 --- a/detections/endpoint/windows_java_spawning_shells.yml +++ b/detections/endpoint/windows_java_spawning_shells.yml @@ -5,34 +5,14 @@ date: '2024-10-17' author: Michael Haag, Splunk status: experimental type: TTP -description: The following analytic identifies instances where java.exe or w3wp.exe - spawns a Windows shell, such as cmd.exe or powershell.exe. This detection leverages - data from Endpoint Detection and Response (EDR) agents, focusing on process and - parent process relationships. This activity is significant as it may indicate exploitation - attempts, such as those related to CVE-2021-44228 (Log4Shell). If confirmed malicious, - attackers could execute arbitrary commands, potentially leading to system compromise, - data exfiltration, or further lateral movement within the network. +description: The following analytic identifies instances where java.exe or w3wp.exe spawns a Windows shell, such as cmd.exe or powershell.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant as it may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). If confirmed malicious, attackers could execute arbitrary commands, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java.exe - OR Processes.parent_process_name=w3wp.exe `windows_shells` by Processes.dest Processes.user - Processes.parent_process_name Processes.process_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_java_spawning_shells_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Filtering may be required on internal developer build systems - or classify assets as web facing and restrict the analytic based on that. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java.exe OR Processes.parent_process_name=w3wp.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_java_spawning_shells_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on that. references: - https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/ - https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72 @@ -50,8 +30,7 @@ tags: - CVE-2021-44228 - CVE-2022-47966 impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ spawning a Windows shell, potentially indicative of exploitation. + message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Windows shell, potentially indicative of exploitation. mitre_attack_id: - T1190 - T1133 diff --git a/detections/endpoint/windows_kerberos_local_successful_logon.yml b/detections/endpoint/windows_kerberos_local_successful_logon.yml index 2f28887370..170fd211dc 100644 --- a/detections/endpoint/windows_kerberos_local_successful_logon.yml +++ b/detections/endpoint/windows_kerberos_local_successful_logon.yml @@ -14,12 +14,12 @@ known_false_positives: False positives are possible, filtering may be required t references: - https://github.com/Dec0ne/KrbRelayUp drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_known_abused_dll_created.yml b/detections/endpoint/windows_known_abused_dll_created.yml index f87d8c58ba..d1996b5d71 100644 --- a/detections/endpoint/windows_known_abused_dll_created.yml +++ b/detections/endpoint/windows_known_abused_dll_created.yml @@ -17,12 +17,12 @@ references: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://github.com/olafhartong/sysmon-modular/pull/195/files drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml index 5cbf0e4af6..17d76102de 100644 --- a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml +++ b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml @@ -17,12 +17,12 @@ references: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://github.com/olafhartong/sysmon-modular/pull/195/files drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml b/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml index 17f9b0be75..17eaa35bf4 100644 --- a/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml +++ b/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_krbrelayup_service_creation.yml b/detections/endpoint/windows_krbrelayup_service_creation.yml index 20be20d84e..bffd9e712f 100644 --- a/detections/endpoint/windows_krbrelayup_service_creation.yml +++ b/detections/endpoint/windows_krbrelayup_service_creation.yml @@ -14,12 +14,12 @@ known_false_positives: False positives should be limited as this is specific to references: - https://github.com/Dec0ne/KrbRelayUp drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml b/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml index c626ee5998..366c9748e9 100644 --- a/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml +++ b/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml @@ -16,12 +16,12 @@ references: - https://attack.mitre.org/techniques/T1135/ - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 drilldown_searches: -- name: View the detection results for $IpAddress$ - search: '%original_detection_search% | search IpAddress = $IpAddress$' +- name: View the detection results for - "$IpAddress$" + search: '%original_detection_search% | search IpAddress = "$IpAddress$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $IpAddress$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($IpAddress$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$IpAddress$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$IpAddress$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_lateral_tool_transfer_remcom.yml b/detections/endpoint/windows_lateral_tool_transfer_remcom.yml index ece97b3fd4..658cdc47b8 100644 --- a/detections/endpoint/windows_lateral_tool_transfer_remcom.yml +++ b/detections/endpoint/windows_lateral_tool_transfer_remcom.yml @@ -17,12 +17,12 @@ references: - https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ - https://github.com/kavika13/RemCom drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_ldifde_directory_object_behavior.yml b/detections/endpoint/windows_ldifde_directory_object_behavior.yml index 66d890c3e7..69652be4fc 100644 --- a/detections/endpoint/windows_ldifde_directory_object_behavior.yml +++ b/detections/endpoint/windows_ldifde_directory_object_behavior.yml @@ -19,12 +19,12 @@ references: - https://twitter.com/0gtweet/status/1564968845726580736?s=20 - https://strontic.github.io/xcyclopedia/library/ldifde.exe-45D28FB47E9B6ACC5DCA9FDA3E790210.html drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml b/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml index 3c52b056f8..8b03cafb14 100644 --- a/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml +++ b/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml @@ -15,12 +15,12 @@ references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_local_administrator_credential_stuffing.yml b/detections/endpoint/windows_local_administrator_credential_stuffing.yml index 7e17354efe..df396b920c 100644 --- a/detections/endpoint/windows_local_administrator_credential_stuffing.yml +++ b/detections/endpoint/windows_local_administrator_credential_stuffing.yml @@ -20,12 +20,12 @@ references: - https://www.praetorian.com/blog/microsofts-local-administrator-password-solution-laps/ - https://wiki.porchetta.industries/smb-protocol/password-spraying drilldown_searches: -- name: View the detection results for $host_targets$ - search: '%original_detection_search% | search host_targets = $host_targets$' +- name: View the detection results for - "$host_targets$" + search: '%original_detection_search% | search host_targets = "$host_targets$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $host_targets$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host_targets$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$host_targets$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host_targets$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml b/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml index 3d4376b69c..36e57df4a1 100644 --- a/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml +++ b/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1036/ - https://attack.mitre.org/techniques/T1036/003/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml index 5fd1d608af..27e77c85c2 100644 --- a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml +++ b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml @@ -16,12 +16,12 @@ references: - https://attack.mitre.org/techniques/T1036/ - https://attack.mitre.org/techniques/T1036/005/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml index abb8e79095..4f53ec3065 100644 --- a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml +++ b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml @@ -15,12 +15,12 @@ known_false_positives: Administrator may change this registry setting. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml index e86656eac3..39ebaf7753 100644 --- a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml +++ b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml @@ -14,12 +14,12 @@ known_false_positives: third party application may use this network protocol as references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_mark_of_the_web_bypass.yml b/detections/endpoint/windows_mark_of_the_web_bypass.yml index 82e3469cd0..3062dc55a8 100644 --- a/detections/endpoint/windows_mark_of_the_web_bypass.yml +++ b/detections/endpoint/windows_mark_of_the_web_bypass.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1553/005/ - https://github.com/nmantani/PS-MOTW#remove-motwps1 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml index ce25afb92f..844c2fd0d2 100644 --- a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml +++ b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_masquerading_msdtc_process.yml b/detections/endpoint/windows_masquerading_msdtc_process.yml index 8757ce6113..f3d78e6776 100644 --- a/detections/endpoint/windows_masquerading_msdtc_process.yml +++ b/detections/endpoint/windows_masquerading_msdtc_process.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_mimikatz_binary_execution.yml b/detections/endpoint/windows_mimikatz_binary_execution.yml index 827f00ad6c..cd0adf281f 100644 --- a/detections/endpoint/windows_mimikatz_binary_execution.yml +++ b/detections/endpoint/windows_mimikatz_binary_execution.yml @@ -18,12 +18,12 @@ references: - https://www.varonis.com/blog/what-is-mimikatz - https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml b/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml index f98d7a3c21..71a31e678d 100644 --- a/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml +++ b/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml @@ -14,12 +14,12 @@ known_false_positives: False positives may be present and may need to be reviewe references: - https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/kuhl_m_crypto.c#L628-L645 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml index 8d4db1462e..9be80f4534 100644 --- a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml +++ b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml @@ -15,12 +15,12 @@ known_false_positives: Administrators may enable or disable this feature that ma references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_auto_minor_updates.yml b/detections/endpoint/windows_modify_registry_auto_minor_updates.yml index 897d8056de..68b539a714 100644 --- a/detections/endpoint/windows_modify_registry_auto_minor_updates.yml +++ b/detections/endpoint/windows_modify_registry_auto_minor_updates.yml @@ -6,28 +6,12 @@ author: Teoderick Contreras, Splunk status: production type: Hunting data_source: -- Sysmon EventID 12 +- Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a suspicious modification to the Windows - auto update configuration registry. It detects changes to the registry path - "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates" - with a value of "0x00000000". This activity is significant as it is commonly used - by adversaries, including malware like RedLine Stealer, to bypass detection and - deploy additional payloads. If confirmed malicious, this modification could allow - attackers to evade defenses, potentially leading to further system compromise and - exploitation of zero-day vulnerabilities. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates" - AND Registry.registry_value_data="0x00000000" by Registry.dest Registry.user Registry.registry_path - Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` - | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_minor_updates_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: administrators may enable or disable this feature that may - cause some false positive. +description: The following analytic identifies a suspicious modification to the Windows auto update configuration registry. It detects changes to the registry path "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates" with a value of "0x00000000". This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to evade defenses, potentially leading to further system compromise and exploitation of zero-day vulnerabilities. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates" AND Registry.registry_value_data="0x00000000" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_minor_updates_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +known_false_positives: administrators may enable or disable this feature that may cause some false positive. references: - https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 tags: @@ -62,7 +46,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_auto_update_notif.yml b/detections/endpoint/windows_modify_registry_auto_update_notif.yml index cb9f995ba3..40396d91ed 100644 --- a/detections/endpoint/windows_modify_registry_auto_update_notif.yml +++ b/detections/endpoint/windows_modify_registry_auto_update_notif.yml @@ -15,12 +15,12 @@ known_false_positives: administrators may enable or disable this feature that ma references: - https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_configure_bitlocker.yml b/detections/endpoint/windows_modify_registry_configure_bitlocker.yml index a6d037cfec..a1b9041cf0 100644 --- a/detections/endpoint/windows_modify_registry_configure_bitlocker.yml +++ b/detections/endpoint/windows_modify_registry_configure_bitlocker.yml @@ -14,12 +14,12 @@ known_false_positives: administrators may enable or disable this feature that ma references: - https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_default_icon_setting.yml b/detections/endpoint/windows_modify_registry_default_icon_setting.yml index 1c87babada..45a56d96c8 100644 --- a/detections/endpoint/windows_modify_registry_default_icon_setting.yml +++ b/detections/endpoint/windows_modify_registry_default_icon_setting.yml @@ -16,12 +16,12 @@ references: - https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html - https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml index f77fe8ec60..23d4f6d0f2 100644 --- a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml +++ b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml @@ -14,12 +14,12 @@ known_false_positives: network admin may add/remove/modify public inbound firewa references: - https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_disable_rdp.yml b/detections/endpoint/windows_modify_registry_disable_rdp.yml index 01e23f71b3..125322ed82 100644 --- a/detections/endpoint/windows_modify_registry_disable_rdp.yml +++ b/detections/endpoint/windows_modify_registry_disable_rdp.yml @@ -14,12 +14,12 @@ known_false_positives: administrators may enable or disable this feature that ma references: - https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml index 1124997fb3..731ad00687 100644 --- a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml +++ b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml @@ -15,12 +15,12 @@ known_false_positives: Administrator may change this registry setting. Filter as references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml index a2c336ab4e..b104fc7d92 100644 --- a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml +++ b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml @@ -16,12 +16,12 @@ references: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml index e911420bf4..c14ebc10aa 100644 --- a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml +++ b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml @@ -16,12 +16,12 @@ references: - https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::real-time_protection_disablerawwritenotification - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml index 5aafc9e36a..3d19f5e0be 100644 --- a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml +++ b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml @@ -15,12 +15,12 @@ known_false_positives: administrators may enable or disable this feature that ma references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml index de71441222..d7919e7b76 100644 --- a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml +++ b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml @@ -16,12 +16,12 @@ references: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml index 523b51d2a2..f6e044bc2d 100644 --- a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml +++ b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml @@ -15,12 +15,12 @@ known_false_positives: Administrators may enable or disable this feature that ma references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml index 932aedf89c..e8a8dc5e98 100644 --- a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml +++ b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml @@ -15,12 +15,12 @@ known_false_positives: Administrators may enable or disable this feature that ma references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml index 9aba7a0485..10cd48f314 100644 --- a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml +++ b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml @@ -16,12 +16,12 @@ references: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml index 402399d2ae..c8acd72850 100644 --- a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml +++ b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml @@ -15,12 +15,12 @@ known_false_positives: Administrators may enable or disable this feature that ma references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml index e2aaff3a06..685aaae6c7 100644 --- a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml +++ b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml @@ -16,12 +16,12 @@ references: - https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::DoNotConnectToWindowsUpdateInternetLocations drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_dontshowui.yml b/detections/endpoint/windows_modify_registry_dontshowui.yml index dd056ffd87..56c87e34d6 100644 --- a/detections/endpoint/windows_modify_registry_dontshowui.yml +++ b/detections/endpoint/windows_modify_registry_dontshowui.yml @@ -15,12 +15,12 @@ known_false_positives: Administrators may enable or disable this feature that ma references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml index 606ffea316..3498d66a20 100644 --- a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml +++ b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml @@ -15,12 +15,12 @@ known_false_positives: Administrators may enable or disable this feature that ma references: - https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_longpathsenabled.yml b/detections/endpoint/windows_modify_registry_longpathsenabled.yml index 96add266c8..8ed7963cd7 100644 --- a/detections/endpoint/windows_modify_registry_longpathsenabled.yml +++ b/detections/endpoint/windows_modify_registry_longpathsenabled.yml @@ -15,12 +15,12 @@ known_false_positives: Administrators may enable or disable this feature that ma references: - https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml index 3d1d122c58..5dd63b2f9b 100644 --- a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml +++ b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml @@ -16,12 +16,12 @@ references: - https://asec.ahnlab.com/en/17692/ - https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer. drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml index 6436de14b6..92833a569b 100644 --- a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml +++ b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml @@ -15,12 +15,12 @@ known_false_positives: Administrators may enable or disable this feature that ma references: - https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_no_auto_update.yml b/detections/endpoint/windows_modify_registry_no_auto_update.yml index 1d530422df..e9789cd02a 100644 --- a/detections/endpoint/windows_modify_registry_no_auto_update.yml +++ b/detections/endpoint/windows_modify_registry_no_auto_update.yml @@ -15,12 +15,12 @@ known_false_positives: Administrators may enable or disable this feature that ma references: - https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml index b15557e775..e723b557da 100644 --- a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml +++ b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml @@ -15,12 +15,12 @@ known_false_positives: Administrators may enable or disable this feature that ma references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml b/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml index a121a76e8e..b2c070cf41 100644 --- a/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml +++ b/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml @@ -14,12 +14,12 @@ known_false_positives: administrators may enable or disable this feature that ma references: - https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_proxyenable.yml b/detections/endpoint/windows_modify_registry_proxyenable.yml index ab2f878428..582dd2c725 100644 --- a/detections/endpoint/windows_modify_registry_proxyenable.yml +++ b/detections/endpoint/windows_modify_registry_proxyenable.yml @@ -15,12 +15,12 @@ known_false_positives: Administrators may enable or disable this feature that ma references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_proxyserver.yml b/detections/endpoint/windows_modify_registry_proxyserver.yml index 51f59c5ba3..95183500f7 100644 --- a/detections/endpoint/windows_modify_registry_proxyserver.yml +++ b/detections/endpoint/windows_modify_registry_proxyserver.yml @@ -15,12 +15,12 @@ known_false_positives: Administrators may enable or disable this feature that ma references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml index bd24a9c7a5..f5d81f737e 100644 --- a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml +++ b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml @@ -15,12 +15,12 @@ known_false_positives: unknown references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_reg_restore.yml b/detections/endpoint/windows_modify_registry_reg_restore.yml index e4bd41e0b7..7ba525b5a6 100644 --- a/detections/endpoint/windows_modify_registry_reg_restore.yml +++ b/detections/endpoint/windows_modify_registry_reg_restore.yml @@ -5,35 +5,14 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of reg.exe with the "restore" - parameter, indicating an attempt to restore registry backup data on a host. This - detection leverages data from Endpoint Detection and Response (EDR) agents, focusing - on process execution logs and command-line arguments. This activity is significant - as it may indicate post-exploitation actions, such as those performed by tools like - winpeas, which use "reg save" and "reg restore" to manipulate registry settings. - If confirmed malicious, this could allow an attacker to revert registry changes, - potentially bypassing security controls and maintaining persistence. +description: The following analytic detects the execution of reg.exe with the "restore" parameter, indicating an attempt to restore registry backup data on a host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate post-exploitation actions, such as those performed by tools like winpeas, which use "reg save" and "reg restore" to manipulate registry settings. If confirmed malicious, this could allow an attacker to revert registry changes, potentially bypassing security controls and maintaining persistence. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process - = "* restore *" by Processes.process_name Processes.original_file_name Processes.process - Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process - Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_reg_restore_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: network administrator can use this command tool to backup registry - before updates or modifying critical registries. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* restore *" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_reg_restore_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: network administrator can use this command tool to backup registry before updates or modifying critical registries. references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS @@ -81,8 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml index 503b343fe1..4424b1cb87 100644 --- a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml +++ b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml @@ -17,12 +17,12 @@ references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ - https://www.techtarget.com/searchwindowsserver/tip/Command-line-options-for-Regeditexe drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_risk_behavior.yml b/detections/endpoint/windows_modify_registry_risk_behavior.yml index 9fdbe29114..41f59e8de0 100644 --- a/detections/endpoint/windows_modify_registry_risk_behavior.yml +++ b/detections/endpoint/windows_modify_registry_risk_behavior.yml @@ -16,12 +16,12 @@ references: - https://www.splunk.com/en_us/blog/security/from-registry-with-love-malware-registry-abuses.html - https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html drilldown_searches: -- name: View the detection results for $risk_object$ - search: '%original_detection_search% | search risk_object = $risk_object$' +- name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $risk_object$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($risk_object$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml index 7a475cdb68..ded57e483a 100644 --- a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml +++ b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml @@ -16,12 +16,12 @@ references: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_tamper_protection.yml b/detections/endpoint/windows_modify_registry_tamper_protection.yml index 296d0b5a84..3133013fec 100644 --- a/detections/endpoint/windows_modify_registry_tamper_protection.yml +++ b/detections/endpoint/windows_modify_registry_tamper_protection.yml @@ -15,12 +15,12 @@ known_false_positives: Administrators may enable or disable this feature that ma references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml index 461741cee6..d9595c03d1 100644 --- a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml +++ b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml @@ -16,12 +16,12 @@ known_false_positives: network admin may add/remove/modify public inbound firewa references: - https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml index 80753abeda..2c2dbcc256 100644 --- a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml +++ b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml @@ -15,12 +15,12 @@ known_false_positives: Administrators may enable or disable this feature that ma references: - https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_usewuserver.yml b/detections/endpoint/windows_modify_registry_usewuserver.yml index cfaab74dec..15cf6742dc 100644 --- a/detections/endpoint/windows_modify_registry_usewuserver.yml +++ b/detections/endpoint/windows_modify_registry_usewuserver.yml @@ -6,28 +6,12 @@ author: Teoderick Contreras, Splunk status: production type: Hunting data_source: -- Sysmon EventID 12 +- Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic detects a suspicious modification to the Windows - Update configuration registry key "UseWUServer." It leverages data from the Endpoint.Registry - data model to identify changes where the registry value is set to "0x00000001." - This activity is significant because it is commonly used by adversaries, including - malware like RedLine Stealer, to bypass detection mechanisms and potentially exploit - zero-day vulnerabilities. If confirmed malicious, this modification could allow - attackers to evade defenses, persist on the target host, and deploy additional malicious - payloads. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\UseWUServer" - AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path - Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` - | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_usewuserver_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: administrators may enable or disable this feature that may - cause some false positive. +description: The following analytic detects a suspicious modification to the Windows Update configuration registry key "UseWUServer." It leverages data from the Endpoint.Registry data model to identify changes where the registry value is set to "0x00000001." This activity is significant because it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection mechanisms and potentially exploit zero-day vulnerabilities. If confirmed malicious, this modification could allow attackers to evade defenses, persist on the target host, and deploy additional malicious payloads. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\UseWUServer" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_usewuserver_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +known_false_positives: administrators may enable or disable this feature that may cause some false positive. references: - https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 tags: @@ -62,7 +46,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_utilize_progids.yml b/detections/endpoint/windows_modify_registry_utilize_progids.yml index 179e7e6d92..ee2e924253 100644 --- a/detections/endpoint/windows_modify_registry_utilize_progids.yml +++ b/detections/endpoint/windows_modify_registry_utilize_progids.yml @@ -16,12 +16,12 @@ references: - https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers - https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml index 59d1af8749..641d413fdf 100644 --- a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml +++ b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml @@ -16,12 +16,12 @@ references: - https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape - https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml index 7dd455048e..0312fc699a 100644 --- a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml +++ b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml @@ -15,12 +15,12 @@ references: - https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape - https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml index f625ae3e00..4c9a1f7b60 100644 --- a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml +++ b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml @@ -15,12 +15,12 @@ known_false_positives: unknown references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_registry_wuserver.yml b/detections/endpoint/windows_modify_registry_wuserver.yml index 234ab48344..bfa976d90b 100644 --- a/detections/endpoint/windows_modify_registry_wuserver.yml +++ b/detections/endpoint/windows_modify_registry_wuserver.yml @@ -6,28 +6,12 @@ author: Teoderick Contreras, Splunk status: production type: Hunting data_source: -- Sysmon EventID 12 +- Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic detects suspicious modifications to the Windows - Update Server (WUServer) registry settings. It leverages data from the Endpoint.Registry - data model to identify changes in the registry path associated with Windows Update - configurations. This activity is significant because adversaries, including malware - like RedLine Stealer, exploit this technique to bypass detection and deploy additional - payloads. If confirmed malicious, this registry modification could allow attackers - to evade defenses, potentially leading to further system compromise and persistent - unauthorized access. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUServer" - by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data - Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` - | `security_content_ctime(firstTime)` | `windows_modify_registry_wuserver_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: Administrators may enable or disable this feature that may - cause some false positive. +description: The following analytic detects suspicious modifications to the Windows Update Server (WUServer) registry settings. It leverages data from the Endpoint.Registry data model to identify changes in the registry path associated with Windows Update configurations. This activity is significant because adversaries, including malware like RedLine Stealer, exploit this technique to bypass detection and deploy additional payloads. If confirmed malicious, this registry modification could allow attackers to evade defenses, potentially leading to further system compromise and persistent unauthorized access. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUServer" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wuserver_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +known_false_positives: Administrators may enable or disable this feature that may cause some false positive. references: - https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 tags: @@ -62,7 +46,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_wustatusserver.yml b/detections/endpoint/windows_modify_registry_wustatusserver.yml index b6df3f3d32..5e9a3f208e 100644 --- a/detections/endpoint/windows_modify_registry_wustatusserver.yml +++ b/detections/endpoint/windows_modify_registry_wustatusserver.yml @@ -6,28 +6,12 @@ author: Teoderick Contreras, Splunk status: production type: Hunting data_source: -- Sysmon EventID 12 +- Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies suspicious modifications to the Windows - Update configuration registry, specifically targeting the WUStatusServer key. It - leverages data from the Endpoint datamodel to detect changes in the registry path - associated with Windows Update settings. This activity is significant as it is commonly - used by adversaries, including malware like RedLine Stealer, to bypass detection - and deploy additional payloads. If confirmed malicious, this modification could - allow attackers to evade defenses, potentially leading to further system compromise - and persistent unauthorized access. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUStatusServer" - by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data - Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` - | `security_content_ctime(firstTime)` | `windows_modify_registry_wustatusserver_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: administrators may enable or disable this feature that may - cause some false positive. +description: The following analytic identifies suspicious modifications to the Windows Update configuration registry, specifically targeting the WUStatusServer key. It leverages data from the Endpoint datamodel to detect changes in the registry path associated with Windows Update settings. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to evade defenses, potentially leading to further system compromise and persistent unauthorized access. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUStatusServer" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wustatusserver_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +known_false_positives: administrators may enable or disable this feature that may cause some false positive. references: - https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 tags: @@ -62,7 +46,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml index 3224f7522d..3b64d090ac 100644 --- a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml +++ b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml @@ -15,12 +15,12 @@ known_false_positives: unknown references: - https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml b/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml index f98272a4e6..833cf3b5a9 100644 --- a/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml +++ b/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml @@ -16,12 +16,12 @@ known_false_positives: A network operator or systems administrator may utilize a references: - https://www.splunk.com/en_us/blog/security/more-than-just-a-rat-unveiling-njrat-s-mbr-wiping-capabilities.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml index 4a6ad51645..a86e12b9bf 100644 --- a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml +++ b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml @@ -20,12 +20,12 @@ references: - https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/ - https://www.sakshamdixit.com/wmi-events/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_moveit_transfer_writing_aspx.yml b/detections/endpoint/windows_moveit_transfer_writing_aspx.yml index a92e770b56..fd551ac7c5 100644 --- a/detections/endpoint/windows_moveit_transfer_writing_aspx.yml +++ b/detections/endpoint/windows_moveit_transfer_writing_aspx.yml @@ -7,32 +7,10 @@ status: experimental type: TTP data_source: - Sysmon EventID 11 -description: The following analytic detects the creation of new ASPX files in the - MOVEit Transfer application's "wwwroot" directory. It leverages endpoint data on - process and filesystem activity to identify processes responsible for creating these - files. This activity is significant as it may indicate exploitation of a critical - zero-day vulnerability in MOVEit Transfer, used by threat actors to install malicious - ASPX files. If confirmed malicious, this could lead to exfiltration of sensitive - data, including user credentials and file metadata, posing a severe risk to the - organization's security. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes - where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name - Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| - tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\MOVEitTransfer\\wwwroot\\*") - Filesystem.file_name IN("*.aspx", "*.ashx", "*.asp*") OR Filesystem.file_name IN - ("human2.aspx","_human2.aspx") by _time span=1h Filesystem.dest Filesystem.file_create_time - Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | - fields _time dest file_create_time file_name file_path process_name process_path - process] | dedup file_create_time | table dest file_create_time, file_name, file_path, - process_name | `windows_moveit_transfer_writing_aspx_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` - node. -known_false_positives: The query is structured in a way that `action` (read, create) - is not defined. Review the results of this query, filter, and tune as necessary. - It may be necessary to generate this query specific to your endpoint product. +description: The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's "wwwroot" directory. It leverages endpoint data on process and filesystem activity to identify processes responsible for creating these files. This activity is significant as it may indicate exploitation of a critical zero-day vulnerability in MOVEit Transfer, used by threat actors to install malicious ASPX files. If confirmed malicious, this could lead to exfiltration of sensitive data, including user credentials and file metadata, posing a severe risk to the organization's security. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\MOVEitTransfer\\wwwroot\\*") Filesystem.file_name IN("*.aspx", "*.ashx", "*.asp*") OR Filesystem.file_name IN ("human2.aspx","_human2.aspx") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `windows_moveit_transfer_writing_aspx_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. +known_false_positives: The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. references: - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 - https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/ @@ -75,7 +53,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/moveit_windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/moveit_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml b/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml index 86c9ed3474..e57386c614 100644 --- a/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml +++ b/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml @@ -16,12 +16,12 @@ known_false_positives: False positives may be present when an Administrator util references: - https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_mshta_execution_in_registry.yml b/detections/endpoint/windows_mshta_execution_in_registry.yml index e6d5c3af8e..7cfc03b336 100644 --- a/detections/endpoint/windows_mshta_execution_in_registry.yml +++ b/detections/endpoint/windows_mshta_execution_in_registry.yml @@ -16,12 +16,12 @@ references: - https://redcanary.com/threat-detection-report/techniques/mshta/ - https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/fileless-threats?view=o365-worldwide drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml b/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml index 8176e2452a..74d8aba0d5 100644 --- a/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml +++ b/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml @@ -15,12 +15,12 @@ references: - https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties - https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_msiexec_dllregisterserver.yml b/detections/endpoint/windows_msiexec_dllregisterserver.yml index 79eaadda8c..c4575180d6 100644 --- a/detections/endpoint/windows_msiexec_dllregisterserver.yml +++ b/detections/endpoint/windows_msiexec_dllregisterserver.yml @@ -17,12 +17,12 @@ references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml b/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml index dee0a158b7..f80ce78f30 100644 --- a/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml +++ b/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml @@ -17,12 +17,12 @@ references: - https://twitter.com/Max_Mal_/status/1736392741758611607 - https://twitter.com/1ZRR4H/status/1735944522075386332 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_msiexec_remote_download.yml b/detections/endpoint/windows_msiexec_remote_download.yml index ec5e56725f..2611b3f384 100644 --- a/detections/endpoint/windows_msiexec_remote_download.yml +++ b/detections/endpoint/windows_msiexec_remote_download.yml @@ -17,12 +17,12 @@ references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml index da3c7062d6..0fd6aaac27 100644 --- a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml +++ b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml @@ -17,12 +17,12 @@ references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_msiexec_spawn_windbg.yml b/detections/endpoint/windows_msiexec_spawn_windbg.yml index 8e03ebdc3f..9a982021d1 100644 --- a/detections/endpoint/windows_msiexec_spawn_windbg.yml +++ b/detections/endpoint/windows_msiexec_spawn_windbg.yml @@ -16,12 +16,12 @@ known_false_positives: False positives will only be present if the MSIExec proce references: - https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml index 4639eb06a3..a524b65da9 100644 --- a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml +++ b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml @@ -17,12 +17,12 @@ references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_msiexec_with_network_connections.yml b/detections/endpoint/windows_msiexec_with_network_connections.yml index d746e6c23f..8b40052b26 100644 --- a/detections/endpoint/windows_msiexec_with_network_connections.yml +++ b/detections/endpoint/windows_msiexec_with_network_connections.yml @@ -15,12 +15,12 @@ references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml b/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml index 2101f6a320..50678bcb59 100644 --- a/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml +++ b/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml @@ -14,12 +14,12 @@ known_false_positives: third party application may use this proxies if allowed i references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_multiple_account_passwords_changed.yml b/detections/endpoint/windows_multiple_account_passwords_changed.yml index 47bc972c6e..966dcf2443 100644 --- a/detections/endpoint/windows_multiple_account_passwords_changed.yml +++ b/detections/endpoint/windows_multiple_account_passwords_changed.yml @@ -14,12 +14,12 @@ known_false_positives: Service accounts may be responsible for the creation, del references: - https://attack.mitre.org/techniques/T1098/ drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_multiple_accounts_deleted.yml b/detections/endpoint/windows_multiple_accounts_deleted.yml index 657de3d418..128a70caac 100644 --- a/detections/endpoint/windows_multiple_accounts_deleted.yml +++ b/detections/endpoint/windows_multiple_accounts_deleted.yml @@ -14,12 +14,12 @@ known_false_positives: Service accounts may be responsible for the creation, del references: - https://attack.mitre.org/techniques/T1098/ drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_multiple_accounts_disabled.yml b/detections/endpoint/windows_multiple_accounts_disabled.yml index add4bc291a..33a0ecb658 100644 --- a/detections/endpoint/windows_multiple_accounts_disabled.yml +++ b/detections/endpoint/windows_multiple_accounts_disabled.yml @@ -14,12 +14,12 @@ known_false_positives: Service accounts may be responsible for the creation, del references: - https://attack.mitre.org/techniques/T1098/ drilldown_searches: -- name: View the detection results for $src_user$ - search: '%original_detection_search% | search src_user = $src_user$' +- name: View the detection results for - "$src_user$" + search: '%original_detection_search% | search src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml b/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml index bf458256ad..47c5e4d0c7 100644 --- a/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml +++ b/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml @@ -10,12 +10,12 @@ name: Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos references: - https://attack.mitre.org/techniques/T1110/003/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ search: '`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter`' diff --git a/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml b/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml index c3df1b817a..5d5d46e86e 100644 --- a/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml +++ b/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml @@ -10,12 +10,12 @@ name: Windows Multiple Invalid Users Fail To Authenticate Using Kerberos references: - https://attack.mitre.org/techniques/T1110/003/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ search: '`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter`' diff --git a/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml b/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml index 3466af1f15..b953071f12 100644 --- a/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml +++ b/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml @@ -12,12 +12,12 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 drilldown_searches: -- name: View the detection results for $Workstation$ - search: '%original_detection_search% | search Workstation = $Workstation$' +- name: View the detection results for - "$Workstation$" + search: '%original_detection_search% | search Workstation = "$Workstation$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Workstation$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Workstation$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Workstation$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Workstation$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ search: '`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter`' diff --git a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml index 537e4ed68c..bd3b2b6dab 100644 --- a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml +++ b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml @@ -18,12 +18,12 @@ references: - https://www.varonis.com/blog/investigate-ntlm-brute-force - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml b/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml index c50919c0ef..536dd96b2e 100644 --- a/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml +++ b/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml @@ -12,12 +12,12 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ search: '`wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as tried_account by _time, Computer, Caller_User_Name | where unique_accounts > 30 | `windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter`' diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml index d39e5e91e7..885809dda5 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml @@ -12,12 +12,12 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 drilldown_searches: -- name: View the detection results for $Workstation$ - search: '%original_detection_search% | search Workstation = $Workstation$' +- name: View the detection results for - "$Workstation$" + search: '%original_detection_search% | search Workstation = "$Workstation$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Workstation$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Workstation$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Workstation$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Workstation$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ search: '`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter`' diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml index 31a26a5294..8f3dd04b5f 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml @@ -13,12 +13,12 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ search: '`wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!="-" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, ProcessName, SubjectUserName, Computer | rename Computer as dest | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_process_filter`' diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml index b83e9410e6..fddcd0c112 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml @@ -12,12 +12,12 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319109(v=ws.11) - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771 drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ search: '`wineventlog_security` EventCode=4771 TargetUserName!="*$" Status=0x18 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_using_kerberos_filter`' diff --git a/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml b/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml index 8cdf8c1d4c..6de41fcf83 100644 --- a/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml +++ b/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml @@ -13,12 +13,12 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ search: '`wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!="-" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | rename Computer as dest| where unique_accounts > 30 | `windows_multiple_users_remotely_failed_to_authenticate_from_host_filter`' diff --git a/detections/endpoint/windows_network_share_interaction_with_net.yml b/detections/endpoint/windows_network_share_interaction_with_net.yml index d8d213c945..09c1afd920 100644 --- a/detections/endpoint/windows_network_share_interaction_with_net.yml +++ b/detections/endpoint/windows_network_share_interaction_with_net.yml @@ -14,12 +14,12 @@ known_false_positives: Unknown references: - https://attack.mitre.org/techniques/T1135/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_new_inprocserver32_added.yml b/detections/endpoint/windows_new_inprocserver32_added.yml index ade1df8dfc..e67339545b 100644 --- a/detections/endpoint/windows_new_inprocserver32_added.yml +++ b/detections/endpoint/windows_new_inprocserver32_added.yml @@ -7,24 +7,10 @@ data_source: - Sysmon EventID 13 type: Hunting status: production -description: The following analytic detects the addition of new InProcServer32 registry - keys on Windows endpoints. It leverages data from the Endpoint.Registry datamodel - to identify changes in registry paths associated with InProcServer32. This activity - is significant because malware often uses this mechanism to achieve persistence - or execute malicious code by registering a new InProcServer32 key pointing to a - harmful DLL. If confirmed malicious, this could allow an attacker to persist in - the environment or execute arbitrary code, posing a significant threat to system - integrity and security. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry - where Registry.registry_path="*\\InProcServer32\\*" by Registry.registry_path Registry.registry_key_name - Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid - Registry.user | `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_new_inprocserver32_added_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: False positives are expected. Filtering will be needed to properly - reduce legitimate applications from the results. +description: The following analytic detects the addition of new InProcServer32 registry keys on Windows endpoints. It leverages data from the Endpoint.Registry datamodel to identify changes in registry paths associated with InProcServer32. This activity is significant because malware often uses this mechanism to achieve persistence or execute malicious code by registering a new InProcServer32 key pointing to a harmful DLL. If confirmed malicious, this could allow an attacker to persist in the environment or execute arbitrary code, posing a significant threat to system integrity and security. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\InProcServer32\\*" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_inprocserver32_added_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: False positives are expected. Filtering will be needed to properly reduce legitimate applications from the results. references: - https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/ tags: @@ -33,8 +19,7 @@ tags: asset_type: Endpoint confidence: 20 impact: 10 - message: A new InProcServer32 registry key was added to a Windows endpoint. This - could indicate suspicious or malicious activity on the $dest$ . + message: A new InProcServer32 registry key was added to a Windows endpoint. This could indicate suspicious or malicious activity on the $dest$ . mitre_attack_id: - T1112 observable: @@ -61,8 +46,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log sourcetype: xmlwineventlog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -# version bumped by pre-commit hook diff --git a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml index 1cf445bbeb..2b65e28d02 100644 --- a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml +++ b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml @@ -16,12 +16,12 @@ known_false_positives: False positives will be present based on organizations th references: - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_nirsoft_advancedrun.yml b/detections/endpoint/windows_nirsoft_advancedrun.yml index b0a48bff5c..7d1bdb1dc3 100644 --- a/detections/endpoint/windows_nirsoft_advancedrun.yml +++ b/detections/endpoint/windows_nirsoft_advancedrun.yml @@ -17,12 +17,12 @@ references: - http://www.nirsoft.net/utils/advanced_run.html - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_nirsoft_utilities.yml b/detections/endpoint/windows_nirsoft_utilities.yml index 233b4d3176..a080fc56ff 100644 --- a/detections/endpoint/windows_nirsoft_utilities.yml +++ b/detections/endpoint/windows_nirsoft_utilities.yml @@ -5,34 +5,14 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies the execution of commonly used NirSoft - utilities on Windows systems. It leverages data from Endpoint Detection and Response - (EDR) agents, focusing on process execution details such as process name, parent - process, and command-line arguments. This activity is significant for a SOC because - NirSoft utilities, while legitimate, can be used by adversaries for malicious purposes - like credential theft or system reconnaissance. If confirmed malicious, this activity - could lead to unauthorized access, data exfiltration, or further system compromise. +description: The following analytic identifies the execution of commonly used NirSoft utilities on Windows systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution details such as process name, parent process, and command-line arguments. This activity is significant for a SOC because NirSoft utilities, while legitimate, can be used by adversaries for malicious purposes like credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further system compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.parent_process_name - Processes.process_name Processes.process Processes.original_file_name Processes.process_path - Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_nirsoft_software_macro` - | `windows_nirsoft_utilities_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: False positives may be present. Filtering may be required before - setting to alert. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_nirsoft_software_macro` | `windows_nirsoft_utilities_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives may be present. Filtering may be required before setting to alert. references: - https://www.cisa.gov/uscert/ncas/alerts/TA18-201A - http://www.nirsoft.net/ @@ -44,8 +24,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ related to NiRSoft software usage. + message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ related to NiRSoft software usage. mitre_attack_id: - T1588.002 observable: @@ -87,7 +66,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1588.002/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1588.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml index 0afb68547a..8b3a376f1f 100644 --- a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml +++ b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml @@ -15,12 +15,12 @@ known_false_positives: unknown references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml index 4eb53f7027..e57759a74b 100644 --- a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml +++ b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_non_system_account_targeting_lsass.yml b/detections/endpoint/windows_non_system_account_targeting_lsass.yml index 8221258129..fc3a549ac8 100644 --- a/detections/endpoint/windows_non_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_non_system_account_targeting_lsass.yml @@ -18,12 +18,12 @@ references: - https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1 - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_odbcconf_hunting.yml b/detections/endpoint/windows_odbcconf_hunting.yml index 5b6793938c..095ba0525d 100644 --- a/detections/endpoint/windows_odbcconf_hunting.yml +++ b/detections/endpoint/windows_odbcconf_hunting.yml @@ -5,34 +5,14 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies the execution of Odbcconf.exe within - the environment. It leverages data from Endpoint Detection and Response (EDR) agents, - focusing on process creation events where the process name is Odbcconf.exe. This - activity is significant because Odbcconf.exe can be used by attackers to execute - arbitrary commands or load malicious DLLs, potentially leading to code execution - or persistence. If confirmed malicious, this behavior could allow an attacker to - maintain access to the system, execute further malicious activities, or escalate - privileges, posing a significant threat to the environment. +description: The following analytic identifies the execution of Odbcconf.exe within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the process name is Odbcconf.exe. This activity is significant because Odbcconf.exe can be used by attackers to execute arbitrary commands or load malicious DLLs, potentially leading to code execution or persistence. If confirmed malicious, this behavior could allow an attacker to maintain access to the system, execute further malicious activities, or escalate privileges, posing a significant threat to the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe - by Processes.dest Processes.user Processes.parent_process_name Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_hunting_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: False positives will be present as this is meant to assist - with filtering and tuning. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_hunting_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives will be present as this is meant to assist with filtering and tuning. references: - https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html - https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw @@ -42,8 +22,7 @@ tags: asset_type: Endpoint confidence: 20 impact: 30 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to circumvent controls. + message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls. mitre_attack_id: - T1218.008 observable: @@ -85,8 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_odbcconf_load_dll.yml b/detections/endpoint/windows_odbcconf_load_dll.yml index fab2db0d0a..8ef98b01fb 100644 --- a/detections/endpoint/windows_odbcconf_load_dll.yml +++ b/detections/endpoint/windows_odbcconf_load_dll.yml @@ -17,12 +17,12 @@ references: - https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html - https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_odbcconf_load_response_file.yml b/detections/endpoint/windows_odbcconf_load_response_file.yml index 11d368f107..afc7469efd 100644 --- a/detections/endpoint/windows_odbcconf_load_response_file.yml +++ b/detections/endpoint/windows_odbcconf_load_response_file.yml @@ -17,12 +17,12 @@ references: - https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html - https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_office_product_spawning_msdt.yml b/detections/endpoint/windows_office_product_spawning_msdt.yml index e1157998c8..d73f3ac016 100644 --- a/detections/endpoint/windows_office_product_spawning_msdt.yml +++ b/detections/endpoint/windows_office_product_spawning_msdt.yml @@ -22,12 +22,12 @@ references: - https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_outlook_webview_registry_modification.yml b/detections/endpoint/windows_outlook_webview_registry_modification.yml index 49b55d38ba..fd4cf9a2da 100644 --- a/detections/endpoint/windows_outlook_webview_registry_modification.yml +++ b/detections/endpoint/windows_outlook_webview_registry_modification.yml @@ -15,12 +15,12 @@ references: - https://gist.github.com/MHaggis/c6318acde2e2f691b550e3a491f49ff1 - https://github.com/trustedsec/specula/wiki drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_papercut_ng_spawn_shell.yml b/detections/endpoint/windows_papercut_ng_spawn_shell.yml index 1099ae2d69..b9e3610f11 100644 --- a/detections/endpoint/windows_papercut_ng_spawn_shell.yml +++ b/detections/endpoint/windows_papercut_ng_spawn_shell.yml @@ -17,12 +17,12 @@ references: - https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability - https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml b/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml index badf679103..0e1e5124bf 100644 --- a/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml +++ b/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://x.com/CyberRaiju/status/1273597319322058752?s=20 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_password_managers_discovery.yml b/detections/endpoint/windows_password_managers_discovery.yml index 2a56f0fbfa..04a833f62d 100644 --- a/detections/endpoint/windows_password_managers_discovery.yml +++ b/detections/endpoint/windows_password_managers_discovery.yml @@ -18,12 +18,12 @@ references: - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml b/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml index 17f2ed6f31..ab3c8f19a6 100644 --- a/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml +++ b/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml index 2ed3c70261..e7fdf3b983 100644 --- a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml +++ b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml @@ -16,12 +16,12 @@ known_false_positives: False positives in PDF file opened PDF Viewer having legi references: - https://twitter.com/pr0xylife/status/1615382907446767616?s=20 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml index b337f0de14..1e75a3cbc4 100644 --- a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml +++ b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml @@ -5,31 +5,13 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the creation of registry artifacts when - an ISO container is opened, clicked, or mounted on a Windows operating system. It - leverages data from the Endpoint.Registry data model, specifically monitoring registry - keys related to recent ISO or IMG file executions. This activity is significant - as adversaries increasingly use container-based phishing campaigns to bypass macro-based - document execution controls. If confirmed malicious, this behavior could indicate - an initial access attempt, potentially leading to further exploitation, persistence, - or data exfiltration within the environment. +description: The following analytic detects the creation of registry artifacts when an ISO container is opened, clicked, or mounted on a Windows operating system. It leverages data from the Endpoint.Registry data model, specifically monitoring registry keys related to recent ISO or IMG file executions. This activity is significant as adversaries increasingly use container-based phishing campaigns to bypass macro-based document execution controls. If confirmed malicious, this behavior could indicate an initial access attempt, potentially leading to further exploitation, persistence, or data exfiltration within the environment. data_source: -- Sysmon EventID 12 +- Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.iso" - OR Registry.registry_key_name= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.img" - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data - Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_phishing_recent_iso_exec_registry_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: False positives may be high depending on the environment and - consistent use of ISOs. Restrict to servers, or filter out based on commonly used - ISO names. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.iso" OR Registry.registry_key_name= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.img" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_recent_iso_exec_registry_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +known_false_positives: False positives may be high depending on the environment and consistent use of ISOs. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed. references: - https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ - https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ @@ -48,8 +30,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 50 - message: An ISO file was mounted on $dest$ and should be reviewed and filtered as - needed. + message: An ISO file was mounted on $dest$ and should be reviewed and filtered as needed. mitre_attack_id: - T1566.001 - T1566 @@ -75,8 +56,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_possible_credential_dumping.yml b/detections/endpoint/windows_possible_credential_dumping.yml index 160decde7d..1d9aef3512 100644 --- a/detections/endpoint/windows_possible_credential_dumping.yml +++ b/detections/endpoint/windows_possible_credential_dumping.yml @@ -19,12 +19,12 @@ references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN - https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1003.001_DumpLSASS/DumpLSASS.ps1 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_post_exploitation_risk_behavior.yml b/detections/endpoint/windows_post_exploitation_risk_behavior.yml index fb4d5ac8ed..98594f11a3 100644 --- a/detections/endpoint/windows_post_exploitation_risk_behavior.yml +++ b/detections/endpoint/windows_post_exploitation_risk_behavior.yml @@ -13,12 +13,12 @@ known_false_positives: False positives will be present based on many factors. Tu references: - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASbat drilldown_searches: -- name: View the detection results for $risk_object$ - search: '%original_detection_search% | search risk_object = $risk_object$' +- name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $risk_object$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($risk_object$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml b/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml index cdc3a9f3b4..32ae78a34b 100644 --- a/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml +++ b/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml @@ -15,12 +15,12 @@ references: - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_powershell_cryptography_namespace.yml b/detections/endpoint/windows_powershell_cryptography_namespace.yml index 09f948d26d..c67e3ea6df 100644 --- a/detections/endpoint/windows_powershell_cryptography_namespace.yml +++ b/detections/endpoint/windows_powershell_cryptography_namespace.yml @@ -14,12 +14,12 @@ known_false_positives: False positives should be limited. Filter as needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_powershell_disable_http_logging.yml b/detections/endpoint/windows_powershell_disable_http_logging.yml index a62ef23a05..892dec14a8 100644 --- a/detections/endpoint/windows_powershell_disable_http_logging.yml +++ b/detections/endpoint/windows_powershell_disable_http_logging.yml @@ -17,12 +17,12 @@ references: - https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ - https://www.secureworks.com/research/bronze-union drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_powershell_export_certificate.yml b/detections/endpoint/windows_powershell_export_certificate.yml index 70c8fced44..b2f0492a9c 100644 --- a/detections/endpoint/windows_powershell_export_certificate.yml +++ b/detections/endpoint/windows_powershell_export_certificate.yml @@ -15,12 +15,12 @@ references: - https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj - https://learn.microsoft.com/en-us/powershell/module/pki/export-certificate?view=windowsserver2022-ps drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_powershell_export_pfxcertificate.yml b/detections/endpoint/windows_powershell_export_pfxcertificate.yml index 362fcb20f7..46e7822081 100644 --- a/detections/endpoint/windows_powershell_export_pfxcertificate.yml +++ b/detections/endpoint/windows_powershell_export_pfxcertificate.yml @@ -15,12 +15,12 @@ references: - https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml b/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml index bab65f7874..bd5aff1412 100644 --- a/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml +++ b/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml @@ -14,12 +14,12 @@ known_false_positives: This is meant to be a low risk RBA anomaly analytic or to references: - https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/get-ciminstance?view=powershell-7.3 drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml b/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml index 9271206304..a95536c532 100644 --- a/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml +++ b/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml @@ -19,12 +19,12 @@ references: - https://www.secureworks.com/research/bronze-union - https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004 drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_powershell_import_applocker_policy.yml b/detections/endpoint/windows_powershell_import_applocker_policy.yml index d5ca713932..636c015b4d 100644 --- a/detections/endpoint/windows_powershell_import_applocker_policy.yml +++ b/detections/endpoint/windows_powershell_import_applocker_policy.yml @@ -14,12 +14,12 @@ known_false_positives: administrators may execute this command that may cause so references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_powershell_remotesigned_file.yml b/detections/endpoint/windows_powershell_remotesigned_file.yml index 1ed43ec2cf..4b4fe89d35 100644 --- a/detections/endpoint/windows_powershell_remotesigned_file.yml +++ b/detections/endpoint/windows_powershell_remotesigned_file.yml @@ -16,12 +16,12 @@ known_false_positives: It is possible administrators or scripts may run these co references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_powershell_scheduletask.yml b/detections/endpoint/windows_powershell_scheduletask.yml index 6d18e34922..5954abd132 100644 --- a/detections/endpoint/windows_powershell_scheduletask.yml +++ b/detections/endpoint/windows_powershell_scheduletask.yml @@ -15,12 +15,12 @@ references: - https://learn.microsoft.com/en-us/powershell/module/scheduledtasks/?view=windowsserver2022-ps - https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/ drilldown_searches: -- name: View the detection results for $Computer$ and $user_id$ - search: '%original_detection_search% | search Computer = $Computer$ user_id = $user_id$' +- name: View the detection results for - "$Computer$" and "$user_id$" + search: '%original_detection_search% | search Computer = "$Computer$" user_id = "$user_id$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ and $user_id$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$, $user_id$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" and "$user_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml b/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml index 7e47404353..5742312c93 100644 --- a/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml +++ b/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml @@ -15,12 +15,12 @@ references: - https://securityonline.info/wmiexec-regout-get-outputdata-response-from-registry/ - https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_powersploit_gpp_discovery.yml b/detections/endpoint/windows_powersploit_gpp_discovery.yml index 922dff58ad..f1383fa21d 100644 --- a/detections/endpoint/windows_powersploit_gpp_discovery.yml +++ b/detections/endpoint/windows_powersploit_gpp_discovery.yml @@ -19,12 +19,12 @@ references: - https://adsecurity.org/?p=2288 - https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 drilldown_searches: -- name: View the detection results for $Computer$ and $UserID$ - search: '%original_detection_search% | search Computer = $Computer$ UserID = $UserID$' +- name: View the detection results for - "$Computer$" and "$UserID$" + search: '%original_detection_search% | search Computer = "$Computer$" UserID = "$UserID$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ and $UserID$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$, $UserID$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" and "$UserID$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$UserID$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml b/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml index 46066d2c71..ba23c518aa 100644 --- a/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml +++ b/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml @@ -17,12 +17,12 @@ references: - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObjectAcl/ drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml b/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml index 32c86f4acc..5550a9d3c3 100644 --- a/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml +++ b/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml @@ -19,12 +19,12 @@ references: - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/constrained-delegation - https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml b/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml index 58a218a649..b3dbd885fc 100644 --- a/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml +++ b/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml @@ -18,12 +18,12 @@ references: - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting - https://attack.mitre.org/techniques/T1558/003 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_powerview_spn_discovery.yml b/detections/endpoint/windows_powerview_spn_discovery.yml index faf0d7c3ba..043ec0299b 100644 --- a/detections/endpoint/windows_powerview_spn_discovery.yml +++ b/detections/endpoint/windows_powerview_spn_discovery.yml @@ -17,12 +17,12 @@ references: - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting - https://attack.mitre.org/techniques/T1558/003 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml b/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml index 68e5b706e2..cc900f2545 100644 --- a/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml +++ b/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml @@ -18,12 +18,12 @@ references: - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation - https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_private_keys_discovery.yml b/detections/endpoint/windows_private_keys_discovery.yml index 19c7f25fbb..599a27b0d5 100644 --- a/detections/endpoint/windows_private_keys_discovery.yml +++ b/detections/endpoint/windows_private_keys_discovery.yml @@ -18,12 +18,12 @@ references: - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml index 94a29a0b69..5fe5d28c60 100644 --- a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml +++ b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml @@ -19,12 +19,12 @@ references: - https://redcanary.com/blog/getsystem-offsec/ - https://atomicredteam.io/privilege-escalation/T1134.001/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$ src_user = $src_user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$" src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$, $src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml b/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml index 4b570b3c1d..4b1f065ec3 100644 --- a/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml +++ b/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml @@ -19,12 +19,12 @@ references: - https://redcanary.com/blog/getsystem-offsec/ - https://atomicredteam.io/privilege-escalation/T1134.001/ drilldown_searches: -- name: View the detection results for $dest$ and $src_user$ - search: '%original_detection_search% | search dest = $dest$ src_user = $src_user$' +- name: View the detection results for - "$dest$" and "$src_user$" + search: '%original_detection_search% | search dest = "$dest$" src_user = "$src_user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $src_user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $src_user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$src_user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml index 910f67b23a..2cee7919ad 100644 --- a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml +++ b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml @@ -19,12 +19,12 @@ references: - https://redcanary.com/blog/getsystem-offsec/ - https://atomicredteam.io/privilege-escalation/T1134.001/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_privileged_group_modification.yml b/detections/endpoint/windows_privileged_group_modification.yml index b4cd6b3fa2..481dc3abb7 100644 --- a/detections/endpoint/windows_privileged_group_modification.yml +++ b/detections/endpoint/windows_privileged_group_modification.yml @@ -23,12 +23,12 @@ references: - https://www.rapid7.com/blog/post/2024/07/30/vmware-esxi-cve-2024-37085-targeted-in-ransomware-campaigns/%5C - https://x.com/mthcht/status/1818196168515461431?s=12&t=kwffmj0KM1sZtg3MrqC0QQ drilldown_searches: -- name: View the detection results for $src_user$ and $dest$ - search: '%original_detection_search% | search src_user = $src_user$ dest = $dest$' +- name: View the detection results for - "$src_user$" and "$dest$" + search: '%original_detection_search% | search src_user = "$src_user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_process_commandline_discovery.yml b/detections/endpoint/windows_process_commandline_discovery.yml index 7d7427b1bc..793bc4aaf9 100644 --- a/detections/endpoint/windows_process_commandline_discovery.yml +++ b/detections/endpoint/windows_process_commandline_discovery.yml @@ -9,32 +9,10 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the use of Windows Management Instrumentation - Command-line (WMIC) to retrieve information about running processes, specifically - targeting the command lines used to launch those processes. This detection leverages - data from Endpoint Detection and Response (EDR) agents, focusing on logs containing - process details and command-line executions. This activity is significant as it - may indicate suspicious behavior, such as a user or process gathering detailed process - information, which is uncommon for non-technical users. If confirmed malicious, - this could allow an attacker to gain insights into running processes, aiding in - further exploitation or lateral movement. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process= - "* process *" Processes.process= "* get commandline *" by Processes.dest Processes.user - Processes.parent_process Processes.process_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_process_commandline_discovery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Administrators or power users may use this command for troubleshooting. - Filter as needed. +description: The following analytic detects the use of Windows Management Instrumentation Command-line (WMIC) to retrieve information about running processes, specifically targeting the command lines used to launch those processes. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on logs containing process details and command-line executions. This activity is significant as it may indicate suspicious behavior, such as a user or process gathering detailed process information, which is uncommon for non-technical users. If confirmed malicious, this could allow an attacker to gain insights into running processes, aiding in further exploitation or lateral movement. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process= "* process *" Processes.process= "* get commandline *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_commandline_discovery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrators or power users may use this command for troubleshooting. Filter as needed. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a tags: @@ -43,8 +21,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 30 - message: Activity related to process commandline discovery detected on $dest$ using - wmic.exe. + message: Activity related to process commandline discovery detected on $dest$ using wmic.exe. mitre_attack_id: - T1057 observable: @@ -74,7 +51,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1057/process_commandline_discovery/wmic-cmdline-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1057/process_commandline_discovery/wmic-cmdline-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml b/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml index c0e32708f6..e79cc02be1 100644 --- a/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml +++ b/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml @@ -17,12 +17,12 @@ references: - https://twitter.com/Max_Mal_/status/1736392741758611607 - https://twitter.com/1ZRR4H/status/1735944522075386332 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_process_injection_into_notepad.yml b/detections/endpoint/windows_process_injection_into_notepad.yml index 4aa41bd7e7..10f22c4423 100644 --- a/detections/endpoint/windows_process_injection_into_notepad.yml +++ b/detections/endpoint/windows_process_injection_into_notepad.yml @@ -15,12 +15,12 @@ references: - https://dominicbreuker.com/post/learning_sliver_c2_08_implant_basics/ - https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml b/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml index ab62778c20..41d72da587 100644 --- a/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml +++ b/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml @@ -15,12 +15,12 @@ references: - https://news.sophos.com/en-us/2022/03/10/qakbot-decoded/ - https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_process_injection_remote_thread.yml b/detections/endpoint/windows_process_injection_remote_thread.yml index a4e1f4e331..af49ec62f6 100644 --- a/detections/endpoint/windows_process_injection_remote_thread.yml +++ b/detections/endpoint/windows_process_injection_remote_thread.yml @@ -15,12 +15,12 @@ references: - https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg - https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_process_injection_wermgr_child_process.yml b/detections/endpoint/windows_process_injection_wermgr_child_process.yml index 3a5c323fd1..a0de132ec7 100644 --- a/detections/endpoint/windows_process_injection_wermgr_child_process.yml +++ b/detections/endpoint/windows_process_injection_wermgr_child_process.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_process_injection_with_public_source_path.yml b/detections/endpoint/windows_process_injection_with_public_source_path.yml index dafaa1fc12..be223128b9 100644 --- a/detections/endpoint/windows_process_injection_with_public_source_path.yml +++ b/detections/endpoint/windows_process_injection_with_public_source_path.yml @@ -5,27 +5,12 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects a process from a non-standard file path - on Windows attempting to create a remote thread in another process. This is identified - using Sysmon EventCode 8, focusing on processes not originating from typical system - directories. This behavior is significant as it often indicates process injection, - a technique used by adversaries to evade detection or escalate privileges. If confirmed - malicious, this activity could allow an attacker to execute arbitrary code within - another process, potentially leading to unauthorized actions and further compromise - of the system. +description: The following analytic detects a process from a non-standard file path on Windows attempting to create a remote thread in another process. This is identified using Sysmon EventCode 8, focusing on processes not originating from typical system directories. This behavior is significant as it often indicates process injection, a technique used by adversaries to evade detection or escalate privileges. If confirmed malicious, this activity could allow an attacker to execute arbitrary code within another process, potentially leading to unauthorized actions and further compromise of the system. data_source: - Sysmon EventID 8 -search: '`sysmon` EventCode=8 TargetImage = "*.exe" AND NOT(SourceImage IN("C:\\Windows\\*", - "C:\\Program File*", "%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) - as lastTime by SourceImage TargetImage signature TargetProcessGuid SourceProcessGuid - TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_process_injection_with_public_source_path_filter`' -how_to_implement: To successfully implement this search, you must be ingesting data - that records process activity from your hosts to populate the endpoint data model - in the processes node. If you are using Sysmon, you must have at least version 6.0.4 - of the Sysmon TA. -known_false_positives: Some security products or third party applications may utilize - CreateRemoteThread, filter as needed before enabling as a notable. +search: '`sysmon` EventCode=8 TargetImage = "*.exe" AND NOT(SourceImage IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage signature TargetProcessGuid SourceProcessGuid TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_with_public_source_path_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: Some security products or third party applications may utilize CreateRemoteThread, filter as needed before enabling as a notable. references: - https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ tags: @@ -34,8 +19,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: process $SourceImage$ create a remote thread to process $TargetImage$ on - host $dest$ + message: process $SourceImage$ create a remote thread to process $TargetImage$ on host $dest$ mitre_attack_id: - T1055 - T1055.002 @@ -74,8 +58,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/create_remote_thread/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/create_remote_thread/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_process_with_namedpipe_commandline.yml b/detections/endpoint/windows_process_with_namedpipe_commandline.yml index c53caeb26e..9d1d4dced6 100644 --- a/detections/endpoint/windows_process_with_namedpipe_commandline.yml +++ b/detections/endpoint/windows_process_with_namedpipe_commandline.yml @@ -16,12 +16,12 @@ known_false_positives: Normal browser application may use this technique. Please references: - https://blog.talosintelligence.com/2018/02/olympic-destroyer.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml b/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml index 3e324b6c9b..846fd797e3 100644 --- a/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml +++ b/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml @@ -6,41 +6,10 @@ author: Michael Haag, Splunk data_source: [] type: Hunting status: production -description: The following analytic identifies a process writing a .txt file to a - world writable path. This detection leverages data from Endpoint Detection and Response - (EDR) agents, focusing on file creation events within specific directories. This - activity is significant as adversaries often use such techniques to deliver payloads - to a system, which is uncommon for legitimate processes. If confirmed malicious, - this behavior could allow attackers to execute arbitrary code, escalate privileges, - or maintain persistence within the environment, posing a significant security risk. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name=*.txt - Filesystem.file_path IN ("*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*", "*\\Windows\\tracing\\*", - "*\\Windows\\PLA\\Reports\\*", "*\\Windows\\PLA\\Rules\\*", "*\\Windows\\PLA\\Templates\\*", - "*\\Windows\\PLA\\Reports\\en-US\\*", "*\\Windows\\PLA\\Rules\\en-US\\*", "*\\Windows\\Registration\\CRMLog\\*", - "*\\Windows\\System32\\Tasks\\*", "*\\Windows\\System32\\Com\\dmp\\*", "*\\Windows\\System32\\LogFiles\\WMI\\*", - "*\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", "*\\Windows\\System32\\spool\\PRINTERS\\*", - "*\\Windows\\System32\\spool\\SERVERS\\*", "*\\Windows\\System32\\spool\\drivers\\color\\*", - "*\\Windows\\System32\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections - Update\\*", "*\\Windows\\SysWOW64\\Tasks\\*", "*\\Windows\\SysWOW64\\Com\\dmp\\*", - "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\RemoteApp - and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\*") - by Filesystem.dest, Filesystem.user, Filesystem.file_name Filesystem.file_path | - `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_process_writing_file_to_world_writable_path_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the file creation event, process name, file path - and, file name. These logs must be processed using the appropriate Splunk Technology - Add-ons that are specific to the EDR product. The logs must also be mapped to the - `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information - Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may occur if legitimate software writes to - these paths. Modify the search to include additional file name extensions. To enhance - it further, adding a join on Processes.process_name may assist with restricting - the analytic to specific process names. Investigate the process and file to determine - if it is malicious. +description: The following analytic identifies a process writing a .txt file to a world writable path. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on file creation events within specific directories. This activity is significant as adversaries often use such techniques to deliver payloads to a system, which is uncommon for legitimate processes. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a significant security risk. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name=*.txt Filesystem.file_path IN ("*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*", "*\\Windows\\tracing\\*", "*\\Windows\\PLA\\Reports\\*", "*\\Windows\\PLA\\Rules\\*", "*\\Windows\\PLA\\Templates\\*", "*\\Windows\\PLA\\Reports\\en-US\\*", "*\\Windows\\PLA\\Rules\\en-US\\*", "*\\Windows\\Registration\\CRMLog\\*", "*\\Windows\\System32\\Tasks\\*", "*\\Windows\\System32\\Com\\dmp\\*", "*\\Windows\\System32\\LogFiles\\WMI\\*", "*\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", "*\\Windows\\System32\\spool\\PRINTERS\\*", "*\\Windows\\System32\\spool\\SERVERS\\*", "*\\Windows\\System32\\spool\\drivers\\color\\*", "*\\Windows\\System32\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\*", "*\\Windows\\SysWOW64\\Com\\dmp\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\*") by Filesystem.dest, Filesystem.user, Filesystem.file_name Filesystem.file_path | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_writing_file_to_world_writable_path_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the file creation event, process name, file path and, file name. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives may occur if legitimate software writes to these paths. Modify the search to include additional file name extensions. To enhance it further, adding a join on Processes.process_name may assist with restricting the analytic to specific process names. Investigate the process and file to determine if it is malicious. references: - https://research.splunk.com/endpoint/efbcf8ee-bc75-47f1-8985-a5c638c4faf0/ tags: @@ -49,8 +18,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: A process wrote a file name- [$file_name$] to a world writable file path - [$file_path$] on host- [$dest$]. + message: A process wrote a file name- [$file_name$] to a world writable file path [$file_path$] on host- [$dest$]. mitre_attack_id: - T1218.005 observable: @@ -78,7 +46,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/mshta_tasks_windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/mshta_tasks_windows-sysmon.log sourcetype: xmlwineventlog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml b/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml index f58ea87b06..834874a5f9 100644 --- a/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml +++ b/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml @@ -14,12 +14,12 @@ known_false_positives: False positives are possible if legitimate applications a references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_protocol_tunneling_with_plink.yml b/detections/endpoint/windows_protocol_tunneling_with_plink.yml index 3f3b4b49f5..014ee7162a 100644 --- a/detections/endpoint/windows_protocol_tunneling_with_plink.yml +++ b/detections/endpoint/windows_protocol_tunneling_with_plink.yml @@ -21,12 +21,12 @@ references: - https://media.defense.gov/2024/Jul/25/2003510137/-1/-1/0/Joint-CSA-North-Korea-Cyber-Espionage-Advance-Military-Nuclear-Programs.PDF - https://blog.talosintelligence.com/lazarus-three-rats/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_proxy_via_netsh.yml b/detections/endpoint/windows_proxy_via_netsh.yml index b39f4d64d4..fed264ab49 100644 --- a/detections/endpoint/windows_proxy_via_netsh.yml +++ b/detections/endpoint/windows_proxy_via_netsh.yml @@ -16,12 +16,12 @@ known_false_positives: Some VPN applications are known to launch netsh.exe. Outs references: - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_proxy_via_registry.yml b/detections/endpoint/windows_proxy_via_registry.yml index dadefc5395..c5431e9e64 100644 --- a/detections/endpoint/windows_proxy_via_registry.yml +++ b/detections/endpoint/windows_proxy_via_registry.yml @@ -15,12 +15,12 @@ known_false_positives: unknown references: - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_query_registry_browser_list_application.yml b/detections/endpoint/windows_query_registry_browser_list_application.yml index e5a14c6e70..5d9478153b 100644 --- a/detections/endpoint/windows_query_registry_browser_list_application.yml +++ b/detections/endpoint/windows_query_registry_browser_list_application.yml @@ -14,12 +14,12 @@ known_false_positives: uninstall application may access this registry to remove references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_query_registry_reg_save.yml b/detections/endpoint/windows_query_registry_reg_save.yml index 4d222175a9..e13fc7461c 100644 --- a/detections/endpoint/windows_query_registry_reg_save.yml +++ b/detections/endpoint/windows_query_registry_reg_save.yml @@ -5,34 +5,14 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of the reg.exe process with - the "save" parameter. This detection leverages data from Endpoint Detection and - Response (EDR) agents, focusing on process execution logs and command-line arguments. - This activity is significant because threat actors often use the "reg save" command - to dump credentials or test registry modification capabilities on compromised hosts. - If confirmed malicious, this behavior could allow attackers to escalate privileges, - persist in the environment, or access sensitive information stored in the registry. +description: The following analytic detects the execution of the reg.exe process with the "save" parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because threat actors often use the "reg save" command to dump credentials or test registry modification capabilities on compromised hosts. If confirmed malicious, this behavior could allow attackers to escalate privileges, persist in the environment, or access sensitive information stored in the registry. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process - = "* save *" by Processes.process_name Processes.original_file_name Processes.process - Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process - Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_reg_save_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: network administrator can use this command tool to backup registry - before updates or modifying critical registries. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* save *" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_reg_save_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: network administrator can use this command tool to backup registry before updates or modifying critical registries. references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS @@ -81,8 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_query_registry_uninstall_program_list.yml b/detections/endpoint/windows_query_registry_uninstall_program_list.yml index e80aa1cf94..fe4505654c 100644 --- a/detections/endpoint/windows_query_registry_uninstall_program_list.yml +++ b/detections/endpoint/windows_query_registry_uninstall_program_list.yml @@ -14,12 +14,12 @@ known_false_positives: Uninstall application may access this registry to remove references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml index d6f1cb4e02..eb51584563 100644 --- a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml +++ b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml @@ -17,12 +17,12 @@ references: - https://redcanary.com/blog/blackbyte-ransomware/ - https://github.com/Neo23x0/Raccine drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml b/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml index ab543b673d..b2838a4cec 100644 --- a/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml +++ b/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml @@ -16,12 +16,12 @@ references: - https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624 drilldown_searches: -- name: View the detection results for $host_targets$ - search: '%original_detection_search% | search host_targets = $host_targets$' +- name: View the detection results for - "$host_targets$" + search: '%original_detection_search% | search host_targets = "$host_targets$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $host_targets$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host_targets$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$host_targets$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host_targets$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_rasautou_dll_execution.yml b/detections/endpoint/windows_rasautou_dll_execution.yml index a6cad862f3..c35ed4cd60 100644 --- a/detections/endpoint/windows_rasautou_dll_execution.yml +++ b/detections/endpoint/windows_rasautou_dll_execution.yml @@ -19,12 +19,12 @@ references: - https://gist.github.com/NickTyrer/c6043e4b302d5424f701f15baf136513 - https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml index a56ecc4625..7bb115e47e 100644 --- a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml +++ b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml @@ -14,12 +14,12 @@ known_false_positives: This event is really notable but we found minimal number references: - https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml index 376e3cc041..1537ffec7e 100644 --- a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml +++ b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml @@ -16,12 +16,12 @@ references: - https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/ - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_rdp_connection_successful.yml b/detections/endpoint/windows_rdp_connection_successful.yml index c6ffcae56c..5822f1ef40 100644 --- a/detections/endpoint/windows_rdp_connection_successful.yml +++ b/detections/endpoint/windows_rdp_connection_successful.yml @@ -7,21 +7,10 @@ status: production type: Hunting data_source: - Windows Event Log RemoteConnectionManager 1149 -description: The following analytic detects successful Remote Desktop Protocol (RDP) - connections by monitoring EventCode 1149 from the Windows TerminalServices RemoteConnectionManager - Operational log. This detection is significant as successful RDP connections can - indicate remote access to a system, which may be leveraged by attackers to control - or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized - access, data theft, or further lateral movement within the network. Monitoring successful - RDP connections is crucial for identifying potential security breaches and mitigating - risks promptly. -search: '`remoteconnectionmanager` EventCode=1149 | stats count min(_time) as firstTime - max(_time) as lastTime by Computer, user_id | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | rename Computer as dest | `windows_rdp_connection_successful_filter`' -how_to_implement: The following analyic requires the WIndows TerminalServices RemoteConnectionManager - Operational log to be enabled and ingested into Splunk. For the inputs, review https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706. -known_false_positives: False positives will be present, filter as needed or restrict - to critical assets on the perimeter. +description: The following analytic detects successful Remote Desktop Protocol (RDP) connections by monitoring EventCode 1149 from the Windows TerminalServices RemoteConnectionManager Operational log. This detection is significant as successful RDP connections can indicate remote access to a system, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network. Monitoring successful RDP connections is crucial for identifying potential security breaches and mitigating risks promptly. +search: '`remoteconnectionmanager` EventCode=1149 | stats count min(_time) as firstTime max(_time) as lastTime by Computer, user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename Computer as dest | `windows_rdp_connection_successful_filter`' +how_to_implement: The following analyic requires the WIndows TerminalServices RemoteConnectionManager Operational log to be enabled and ingested into Splunk. For the inputs, review https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706. +known_false_positives: False positives will be present, filter as needed or restrict to critical assets on the perimeter. references: - https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706 - https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 @@ -56,8 +45,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/windows_rdp_connection_successful/windows-xml.log - source: - WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/windows_rdp_connection_successful/windows-xml.log + source: WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_registry_bootexecute_modification.yml b/detections/endpoint/windows_registry_bootexecute_modification.yml index ef96512328..1d7e0260b2 100644 --- a/detections/endpoint/windows_registry_bootexecute_modification.yml +++ b/detections/endpoint/windows_registry_bootexecute_modification.yml @@ -15,12 +15,12 @@ known_false_positives: False positives may be present and will need to be filter references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_registry_certificate_added.yml b/detections/endpoint/windows_registry_certificate_added.yml index d714c5f268..40921a998e 100644 --- a/detections/endpoint/windows_registry_certificate_added.yml +++ b/detections/endpoint/windows_registry_certificate_added.yml @@ -16,12 +16,12 @@ references: - https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec - https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1553.004 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_registry_delete_task_sd.yml b/detections/endpoint/windows_registry_delete_task_sd.yml index ee4c27d14f..aa8603a419 100644 --- a/detections/endpoint/windows_registry_delete_task_sd.yml +++ b/detections/endpoint/windows_registry_delete_task_sd.yml @@ -17,12 +17,12 @@ references: - https://gist.github.com/MHaggis/5f7fd6745915166fc6da863d685e2728 - https://gist.github.com/MHaggis/b246e2fae6213e762a6e694cabaf0c17 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml index f0655e2f1c..ff69d5829f 100644 --- a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml +++ b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml @@ -18,12 +18,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md - https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_registry_payload_injection.yml b/detections/endpoint/windows_registry_payload_injection.yml index 638683a16d..b9a60968d8 100644 --- a/detections/endpoint/windows_registry_payload_injection.yml +++ b/detections/endpoint/windows_registry_payload_injection.yml @@ -17,12 +17,12 @@ references: - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless - https://attack.mitre.org/techniques/T1027/011/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_registry_sip_provider_modification.yml b/detections/endpoint/windows_registry_sip_provider_modification.yml index 7e0a88cbff..8221e68cf7 100644 --- a/detections/endpoint/windows_registry_sip_provider_modification.yml +++ b/detections/endpoint/windows_registry_sip_provider_modification.yml @@ -20,12 +20,12 @@ references: - https://github.com/mattifestation/PoCSubjectInterfacePackage - https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_regsvr32_renamed_binary.yml b/detections/endpoint/windows_regsvr32_renamed_binary.yml index 16601331ef..8b1c246ff7 100644 --- a/detections/endpoint/windows_regsvr32_renamed_binary.yml +++ b/detections/endpoint/windows_regsvr32_renamed_binary.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml index 2e55ca1418..63500bc299 100644 --- a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml +++ b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml @@ -20,12 +20,12 @@ references: - https://strontic.github.io/xcyclopedia/library/samcli.dll-522D6D616EF142CDE965BD3A450A9E4C.html - https://strontic.github.io/xcyclopedia/library/dbghelp.dll-15A55EAB307EF8C190FE6135C0A86F7C.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_remote_access_software_hunt.yml b/detections/endpoint/windows_remote_access_software_hunt.yml index c39d054638..6aa7c2e518 100644 --- a/detections/endpoint/windows_remote_access_software_hunt.yml +++ b/detections/endpoint/windows_remote_access_software_hunt.yml @@ -5,36 +5,14 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies the use of remote access software within - the environment. It leverages data from Endpoint Detection and Response (EDR) agents, - focusing on process execution logs. This detection is significant as unauthorized - remote access tools can be used by adversaries to maintain persistent access to - compromised systems. If confirmed malicious, this activity could allow attackers - to remotely control systems, exfiltrate data, or further infiltrate the network. - Review the identified software to ensure it is authorized and take action against - any unauthorized utilities. +description: The following analytic identifies the use of remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This detection is significant as unauthorized remote access tools can be used by adversaries to maintain persistent access to compromised systems. If confirmed malicious, this activity could allow attackers to remotely control systems, exfiltrate data, or further infiltrate the network. Review the identified software to ensure it is authorized and take action against any unauthorized utilities. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime values(Processes.process) as process values(Processes.parent_process) - as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown - Processes.user!=unknown by Processes.dest Processes.user Processes.process_name - Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility - AS process_name OUTPUT isutility | search isutility = True | `windows_remote_access_software_hunt_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: False positives will be found. Filter as needed and create - higher fidelity analytics based off banned remote access software. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility | search isutility = True | `windows_remote_access_software_hunt_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives will be found. Filter as needed and create higher fidelity analytics based off banned remote access software. references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md @@ -80,8 +58,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_remote_access_software_rms_registry.yml b/detections/endpoint/windows_remote_access_software_rms_registry.yml index 884cf77976..315648ff7e 100644 --- a/detections/endpoint/windows_remote_access_software_rms_registry.yml +++ b/detections/endpoint/windows_remote_access_software_rms_registry.yml @@ -16,12 +16,12 @@ references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ - https://malpedia.caad.fkie.fraunhofer.de/details/win.rms drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_remote_assistance_spawning_process.yml b/detections/endpoint/windows_remote_assistance_spawning_process.yml index b05cce5dbe..8999d4e184 100644 --- a/detections/endpoint/windows_remote_assistance_spawning_process.yml +++ b/detections/endpoint/windows_remote_assistance_spawning_process.yml @@ -17,12 +17,12 @@ references: - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ - https://app.any.run/tasks/ca1616de-89a1-4afc-a3e4-09d428df2420/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_remote_create_service.yml b/detections/endpoint/windows_remote_create_service.yml index 67b2a09d69..ab93a955a1 100644 --- a/detections/endpoint/windows_remote_create_service.yml +++ b/detections/endpoint/windows_remote_create_service.yml @@ -16,12 +16,12 @@ known_false_positives: Note that false positives may occur, and filtering may be references: - https://attack.mitre.org/techniques/T1543/003/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml index 82a4d002ae..0459042cfb 100644 --- a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml +++ b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml @@ -16,12 +16,12 @@ known_false_positives: This tool was designed for home usage and not commonly se references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml index 0472faae97..5d4920f8e7 100644 --- a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml +++ b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml @@ -16,12 +16,12 @@ known_false_positives: administrators may enable or disable this feature that ma references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml index 9e7d792223..0e836f545e 100644 --- a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml +++ b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml @@ -16,12 +16,12 @@ references: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_remote_services_rdp_enable.yml b/detections/endpoint/windows_remote_services_rdp_enable.yml index b5908e3187..237182e98e 100644 --- a/detections/endpoint/windows_remote_services_rdp_enable.yml +++ b/detections/endpoint/windows_remote_services_rdp_enable.yml @@ -15,12 +15,12 @@ known_false_positives: administrators may enable or disable this feature that ma references: - https://www.hybrid-analysis.com/sample/9d6611c2779316f1ef4b4a6edcfdfb5e770fe32b31ec2200df268c3bd236ed75?environmentId=100 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_replication_through_removable_media.yml b/detections/endpoint/windows_replication_through_removable_media.yml index 2ae9ff25f9..90e87efb94 100644 --- a/detections/endpoint/windows_replication_through_removable_media.yml +++ b/detections/endpoint/windows_replication_through_removable_media.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1204/002/ - https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml index b1ef538fc7..a74be767af 100644 --- a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml +++ b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml @@ -15,12 +15,12 @@ references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml index fc525c7e7a..001de8ffb9 100644 --- a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml +++ b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_rundll32_webdav_request.yml b/detections/endpoint/windows_rundll32_webdav_request.yml index 0d86ad61ff..b6960dada5 100644 --- a/detections/endpoint/windows_rundll32_webdav_request.yml +++ b/detections/endpoint/windows_rundll32_webdav_request.yml @@ -20,12 +20,12 @@ references: - https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/ - https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml index 082eb5a363..d9cff26d24 100644 --- a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml +++ b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml @@ -6,36 +6,10 @@ author: Michael Haag, Splunk type: TTP status: experimental data_source: [] -description: The following analytic detects the execution of rundll32.exe with command-line - arguments loading davclnt.dll and the davsetcookie function to access a remote WebDav - instance. It uses data from Endpoint Detection and Response (EDR) agents, correlating - process execution and network traffic data. This activity is significant as it may - indicate exploitation of CVE-2023-23397, a known vulnerability. If confirmed malicious, - this could allow an attacker to establish unauthorized remote connections, potentially - leading to data exfiltration or further network compromise. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name=svchost.exe - `process_rundll32` Processes.process IN ("*\\windows\\system32\\davclnt.dll,*davsetcookie*", - "*\\windows\\syswow64\\davclnt.dll,*davsetcookie*") by host _time span=1h Processes.process_id - Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name - Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | rename dest as src | join host process_id - [ | tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest - latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port - FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port!=0 NOT (All_Traffic.dest_ip - IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)) by host All_Traffic.process_id - | `drop_dm_object_name(All_Traffic)`] | `windows_rundll32_webdav_with_network_connection_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: False positives will be present based on legitimate software, - filtering may need to occur. +description: The following analytic detects the execution of rundll32.exe with command-line arguments loading davclnt.dll and the davsetcookie function to access a remote WebDav instance. It uses data from Endpoint Detection and Response (EDR) agents, correlating process execution and network traffic data. This activity is significant as it may indicate exploitation of CVE-2023-23397, a known vulnerability. If confirmed malicious, this could allow an attacker to establish unauthorized remote connections, potentially leading to data exfiltration or further network compromise. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name=svchost.exe `process_rundll32` Processes.process IN ("*\\windows\\system32\\davclnt.dll,*davsetcookie*", "*\\windows\\syswow64\\davclnt.dll,*davsetcookie*") by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest as src | join host process_id [ | tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port!=0 NOT (All_Traffic.dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)) by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `windows_rundll32_webdav_with_network_connection_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives will be present based on legitimate software, filtering may need to occur. references: - https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html - https://twitter.com/ACEResponder/status/1636116096506818562?s=20 @@ -50,8 +24,7 @@ tags: - CVE-2023-23397 confidence: 60 impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server. + message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server. mitre_attack_id: - T1048.003 observable: @@ -96,7 +69,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/cve-2023-23397/webdav_windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/cve-2023-23397/webdav_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_scheduled_task_created_via_xml.yml b/detections/endpoint/windows_scheduled_task_created_via_xml.yml index f2b037fb2e..2568eb5434 100644 --- a/detections/endpoint/windows_scheduled_task_created_via_xml.yml +++ b/detections/endpoint/windows_scheduled_task_created_via_xml.yml @@ -17,12 +17,12 @@ references: - https://twitter.com/_CERT_UA/status/1620781684257091584 - https://cert.gov.ua/article/3761104 drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml b/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml index e2b8d5b0de..318450a1ad 100644 --- a/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml +++ b/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml @@ -15,12 +15,12 @@ references: - https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape - https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml index ca4667957c..a242e9528e 100644 --- a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml +++ b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml @@ -18,12 +18,12 @@ references: - https://nasbench.medium.com/a-deep-dive-into-windows-scheduled-tasks-and-the-processes-running-them-218d1eed4cce - https://attack.mitre.org/techniques/T1053/005/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml index ad40b37103..1e1f6fa1ae 100644 --- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml +++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml @@ -16,12 +16,12 @@ known_false_positives: False positives may arise from legitimate applications th references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml b/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml index 4da686e07c..181be4f7dd 100644 --- a/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml +++ b/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml @@ -15,12 +15,12 @@ references: - https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape - https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_schtasks_create_run_as_system.yml b/detections/endpoint/windows_schtasks_create_run_as_system.yml index 08c810ed53..0766c5480f 100644 --- a/detections/endpoint/windows_schtasks_create_run_as_system.yml +++ b/detections/endpoint/windows_schtasks_create_run_as_system.yml @@ -18,12 +18,12 @@ references: - https://www.ired.team/offensive-security/persistence/t1053-schtask - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_screen_capture_via_powershell.yml b/detections/endpoint/windows_screen_capture_via_powershell.yml index 29abb7c701..87dd21bb74 100644 --- a/detections/endpoint/windows_screen_capture_via_powershell.yml +++ b/detections/endpoint/windows_screen_capture_via_powershell.yml @@ -15,12 +15,12 @@ references: - https://twitter.com/_CERT_UA/status/1620781684257091584 - https://cert.gov.ua/article/3761104 drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_security_account_manager_stopped.yml b/detections/endpoint/windows_security_account_manager_stopped.yml index b0a117fafb..faee18f8e9 100644 --- a/detections/endpoint/windows_security_account_manager_stopped.yml +++ b/detections/endpoint/windows_security_account_manager_stopped.yml @@ -15,12 +15,12 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: SAM is a critical windows service, stopping it would cause major issues on an endpoint this makes false positive rare. AlthoughNo false positives have been identified. references: [] drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_security_support_provider_reg_query.yml b/detections/endpoint/windows_security_support_provider_reg_query.yml index 6609eb72ba..efe07e8d00 100644 --- a/detections/endpoint/windows_security_support_provider_reg_query.yml +++ b/detections/endpoint/windows_security_support_provider_reg_query.yml @@ -18,12 +18,12 @@ references: - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml index e3295167b1..b5f063ed13 100644 --- a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml +++ b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml @@ -19,12 +19,12 @@ references: - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ - https://learn.microsoft.com/en-us/dotnet/framework/app-domains/gac drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_service_create_kernel_mode_driver.yml b/detections/endpoint/windows_service_create_kernel_mode_driver.yml index 96e813c0a8..47e23d86ee 100644 --- a/detections/endpoint/windows_service_create_kernel_mode_driver.yml +++ b/detections/endpoint/windows_service_create_kernel_mode_driver.yml @@ -16,12 +16,12 @@ known_false_positives: False positives may be present based on common applicatio references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_service_create_remcomsvc.yml b/detections/endpoint/windows_service_create_remcomsvc.yml index 311eb0d296..b4a9f7f042 100644 --- a/detections/endpoint/windows_service_create_remcomsvc.yml +++ b/detections/endpoint/windows_service_create_remcomsvc.yml @@ -15,12 +15,12 @@ references: - https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ - https://github.com/kavika13/RemCom drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_service_create_sliverc2.yml b/detections/endpoint/windows_service_create_sliverc2.yml index 9c069c1e34..6ada30be0a 100644 --- a/detections/endpoint/windows_service_create_sliverc2.yml +++ b/detections/endpoint/windows_service_create_sliverc2.yml @@ -16,12 +16,12 @@ references: - https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ - https://regex101.com/r/DWkkXm/1 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_service_create_with_tscon.yml b/detections/endpoint/windows_service_create_with_tscon.yml index 84e86644cb..98749f4b30 100644 --- a/detections/endpoint/windows_service_create_with_tscon.yml +++ b/detections/endpoint/windows_service_create_with_tscon.yml @@ -17,12 +17,12 @@ references: - https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml index ea913ce478..934a861942 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml @@ -15,12 +15,12 @@ references: - https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft - https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_service_created_within_public_path.yml b/detections/endpoint/windows_service_created_within_public_path.yml index 6be61221ab..67ba6d45a0 100644 --- a/detections/endpoint/windows_service_created_within_public_path.yml +++ b/detections/endpoint/windows_service_created_within_public_path.yml @@ -15,12 +15,12 @@ references: - https://docs.microsoft.com/en-us/windows/win32/services/service-control-manager - https://pentestlab.blog/2020/07/21/lateral-movement-services/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml index 825779000d..c2e2d07938 100644 --- a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml @@ -18,12 +18,12 @@ references: - https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc - https://attack.mitre.org/techniques/T1543/003/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index 1ca917bfe9..4263ba6ad9 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -15,12 +15,12 @@ known_false_positives: Third party tools may used this technique to create servi references: - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1574.011/T1574.011.md drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_service_deletion_in_registry.yml b/detections/endpoint/windows_service_deletion_in_registry.yml index c269b4f1c5..77afb2be18 100644 --- a/detections/endpoint/windows_service_deletion_in_registry.yml +++ b/detections/endpoint/windows_service_deletion_in_registry.yml @@ -15,12 +15,12 @@ known_false_positives: This event can be seen when administrator delete a servic references: - https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml index 8ef6466a6f..8ccf495466 100644 --- a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml @@ -17,12 +17,12 @@ references: - https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc - https://attack.mitre.org/techniques/T1543/003/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_service_stop_by_deletion.yml b/detections/endpoint/windows_service_stop_by_deletion.yml index ce27e67866..e71e897ab6 100644 --- a/detections/endpoint/windows_service_stop_by_deletion.yml +++ b/detections/endpoint/windows_service_stop_by_deletion.yml @@ -18,12 +18,12 @@ references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml b/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml index cde1e4cca1..4a7e17eaf6 100644 --- a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml +++ b/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml @@ -16,12 +16,12 @@ known_false_positives: Windows OS or software may stop and restart services due references: - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_service_stop_win_updates.yml b/detections/endpoint/windows_service_stop_win_updates.yml index bc04f24103..76110d8b19 100644 --- a/detections/endpoint/windows_service_stop_win_updates.yml +++ b/detections/endpoint/windows_service_stop_win_updates.yml @@ -14,12 +14,12 @@ known_false_positives: Network administrator may disable this services as part o references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_sip_provider_inventory.yml b/detections/endpoint/windows_sip_provider_inventory.yml index c3316976d8..88203d9c78 100644 --- a/detections/endpoint/windows_sip_provider_inventory.yml +++ b/detections/endpoint/windows_sip_provider_inventory.yml @@ -6,21 +6,10 @@ author: Michael Haag, Splunk status: production type: Hunting data_source: [] -description: The following analytic identifies all SIP (Subject Interface Package) - providers on a Windows system using PowerShell scripted inputs. It detects SIP providers - by capturing DLL paths from relevant events. This activity is significant because - malicious SIP providers can be used to bypass trust controls, potentially allowing - unauthorized code execution. If confirmed malicious, this activity could enable - attackers to subvert system integrity, leading to unauthorized access or persistent - threats within the environment. Analysts should review for new and non-standard - paths to identify potential threats. -search: '`subjectinterfacepackage` Dll=*\\*.dll | stats count min(_time) as firstTime - max(_time) as lastTime values(Dll) by Path host| `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `windows_sip_provider_inventory_filter`' -how_to_implement: To implement this analytic, one must first perform inventory using - a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1 -known_false_positives: False positives are limited as this is a hunting query for - inventory. +description: The following analytic identifies all SIP (Subject Interface Package) providers on a Windows system using PowerShell scripted inputs. It detects SIP providers by capturing DLL paths from relevant events. This activity is significant because malicious SIP providers can be used to bypass trust controls, potentially allowing unauthorized code execution. If confirmed malicious, this activity could enable attackers to subvert system integrity, leading to unauthorized access or persistent threats within the environment. Analysts should review for new and non-standard paths to identify potential threats. +search: '`subjectinterfacepackage` Dll=*\\*.dll | stats count min(_time) as firstTime max(_time) as lastTime values(Dll) by Path host| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sip_provider_inventory_filter`' +how_to_implement: To implement this analytic, one must first perform inventory using a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1 +known_false_positives: False positives are limited as this is a hunting query for inventory. references: - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1 tags: @@ -30,8 +19,7 @@ tags: atomic_guid: [] confidence: 50 impact: 50 - message: A list of SIP providers on the system is available. Review for new and - non-standard paths for SIP providers on $host$. + message: A list of SIP providers on the system is available. Review for new and non-standard paths for SIP providers on $host$. mitre_attack_id: - T1553.003 observable: @@ -52,7 +40,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_inventory.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_inventory.log source: powershell://SubjectInterfacePackage sourcetype: PwSh:SubjectInterfacePackage diff --git a/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml b/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml index 79a55da317..30429661a4 100644 --- a/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml +++ b/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml @@ -18,12 +18,12 @@ references: - https://github.com/mattifestation/PoCSubjectInterfacePackage - https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml b/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml index 217d88aa55..d3acabd8c9 100644 --- a/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml +++ b/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml @@ -14,12 +14,12 @@ known_false_positives: False positives may be present as the file pattern does m references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml b/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml index 3ea216ae2a..e0280450a7 100644 --- a/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml +++ b/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml @@ -14,12 +14,12 @@ known_false_positives: False positives may be present, filter as needed. references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml index f9f82a274b..f679f8cc4a 100644 --- a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml +++ b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml @@ -15,12 +15,12 @@ known_false_positives: False positives may be present and will require tuning ba references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_snake_malware_service_create.yml b/detections/endpoint/windows_snake_malware_service_create.yml index 492f0a89f1..2bbf8e3e0d 100644 --- a/detections/endpoint/windows_snake_malware_service_create.yml +++ b/detections/endpoint/windows_snake_malware_service_create.yml @@ -14,12 +14,12 @@ known_false_positives: False positives should be limited as this is a strict pri references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_soaphound_binary_execution.yml b/detections/endpoint/windows_soaphound_binary_execution.yml index d992bbe85c..f567ff9905 100644 --- a/detections/endpoint/windows_soaphound_binary_execution.yml +++ b/detections/endpoint/windows_soaphound_binary_execution.yml @@ -16,12 +16,12 @@ known_false_positives: False positives should be limited as the command-line arg references: - https://github.com/FalconForceTeam/SOAPHound drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml b/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml index 8007ff7a4b..b8ffd65206 100644 --- a/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml +++ b/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml @@ -5,27 +5,12 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies suspicious Office documents that connect - to non-Microsoft Office domains. It leverages Sysmon EventCode 22 to detect processes - like winword.exe or excel.exe making DNS queries to domains outside of *.office.com - or *.office.net. This activity is significant as it may indicate a spearphishing - attempt using malicious documents to download or connect to harmful content. If - confirmed malicious, this could lead to unauthorized data access, malware infection, - or further network compromise. +description: The following analytic identifies suspicious Office documents that connect to non-Microsoft Office domains. It leverages Sysmon EventCode 22 to detect processes like winword.exe or excel.exe making DNS queries to domains outside of *.office.com or *.office.net. This activity is significant as it may indicate a spearphishing attempt using malicious documents to download or connect to harmful content. If confirmed malicious, this could lead to unauthorized data access, malware infection, or further network compromise. data_source: - Sysmon EventID 22 -search: '`sysmon` EventCode=22 Image IN ("*\\winword.exe","*\\excel.exe","*\\powerpnt.exe","*\\mspub.exe","*\\visio.exe","*\\wordpad.exe","*\\wordview.exe","*\\onenote.exe", - "*\\onenotem.exe","*\\onenoteviewer.exe","*\\onenoteim.exe", "*\\msaccess.exe") - AND NOT(QueryName IN ("*.office.com", "*.office.net")) | stats count min(_time) - as firstTime max(_time) as lastTime by Image QueryName QueryResults QueryStatus - Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: Windows Office document may contain legitimate url link other - than MS office Domain. filter is needed +search: '`sysmon` EventCode=22 Image IN ("*\\winword.exe","*\\excel.exe","*\\powerpnt.exe","*\\mspub.exe","*\\visio.exe","*\\wordpad.exe","*\\wordview.exe","*\\onenote.exe", "*\\onenotem.exe","*\\onenoteviewer.exe","*\\onenoteim.exe", "*\\msaccess.exe") AND NOT(QueryName IN ("*.office.com", "*.office.net")) | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryResults QueryStatus Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: Windows Office document may contain legitimate url link other than MS office Domain. filter is needed references: - https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader - https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat @@ -36,8 +21,7 @@ tags: asset_type: Endpoint confidence: 30 impact: 30 - message: a office document process $Image$ connect to an URL link $QueryName$ in - $dest$ + message: a office document process $Image$ connect to an URL link $QueryName$ in $dest$ mitre_attack_id: - T1566.001 - T1566 @@ -62,8 +46,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml index 08f75a572c..f714e30a6b 100644 --- a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml +++ b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml @@ -17,12 +17,12 @@ references: - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/ - https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml b/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml index 4bae587cad..8d9bd03fd2 100644 --- a/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml +++ b/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml @@ -17,12 +17,12 @@ references: - https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ - https://attack.mitre.org/tactics/TA0008/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_sql_spawning_certutil.yml b/detections/endpoint/windows_sql_spawning_certutil.yml index e2af5b1211..ce2594020a 100644 --- a/detections/endpoint/windows_sql_spawning_certutil.yml +++ b/detections/endpoint/windows_sql_spawning_certutil.yml @@ -9,33 +9,10 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the use of certutil to download software, - specifically when spawned by SQL-related processes. This detection leverages Endpoint - Detection and Response (EDR) data, focusing on command-line executions involving - certutil with parameters like *urlcache* and *split*. This activity is significant - as it may indicate a compromise by threat actors, such as Flax Typhoon, who use - certutil to establish persistent VPN connections. If confirmed malicious, this behavior - could allow attackers to maintain access, monitor system availability, and potentially - escalate to data theft or ransomware deployment. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name - IN ("sqlservr.exe", "sqlagent.exe", "sqlps.exe", "launchpad.exe", "sqldumper.exe") - `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* - by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name - Processes.process_name Processes.process Processes.process_id Processes.original_file_name - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_sql_spawning_certutil_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: The occurrence of false positives should be minimal, given - that the SQL agent does not typically download software using CertUtil. +description: The following analytic detects the use of certutil to download software, specifically when spawned by SQL-related processes. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving certutil with parameters like *urlcache* and *split*. This activity is significant as it may indicate a compromise by threat actors, such as Flax Typhoon, who use certutil to establish persistent VPN connections. If confirmed malicious, this behavior could allow attackers to maintain access, monitor system availability, and potentially escalate to data theft or ransomware deployment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("sqlservr.exe", "sqlagent.exe", "sqlps.exe", "launchpad.exe", "sqldumper.exe") `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sql_spawning_certutil_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: The occurrence of false positives should be minimal, given that the SQL agent does not typically download software using CertUtil. references: - https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/ tags: @@ -45,8 +22,7 @@ tags: atomic_guid: [] confidence: 100 impact: 90 - message: $process_name$ was launched on $dest$ by $user$. This behavior is uncommon - with the SQL process identified. + message: $process_name$ was launched on $dest$ by $user$. This behavior is uncommon with the SQL process identified. mitre_attack_id: - T1105 observable: diff --git a/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml b/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml index 4b0bdde019..a80f26a0c0 100644 --- a/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml +++ b/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml @@ -15,12 +15,12 @@ references: - https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties - https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml index 4042a6846b..99252680f7 100644 --- a/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml +++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml @@ -17,12 +17,12 @@ references: - https://github.com/ly4k/Certipy#esc1 - https://pentestlaboratories.com/2021/11/08/threat-hunting-certificate-account-persistence/ drilldown_searches: -- name: View the detection results for $src$ and $dest$ - search: '%original_detection_search% | search src = $src$ dest = $dest$' +- name: View the detection results for - "$src$" and "$dest$" + search: '%original_detection_search% | search src = "$src$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml index 1adf351d71..8adf070e45 100644 --- a/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml +++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml @@ -17,12 +17,12 @@ references: - https://github.com/ly4k/Certipy#esc1 - https://pentestlaboratories.com/2021/11/08/threat-hunting-certificate-account-persistence/ drilldown_searches: -- name: View the detection results for $src$ and $dest$ - search: '%original_detection_search% | search src = $src$ dest = $dest$ src_user = $src_user$ user = $user$' +- name: View the detection results for - "$src$" and "$dest$" + search: '%original_detection_search% | search src = "$src$" dest = "$dest$" src_user = "$src_user$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$, $dest$, $src_user$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$", "$src_user$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml b/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml index f6190dad37..a4360ac56e 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml @@ -14,12 +14,12 @@ known_false_positives: False positives will be generated based on normal certifi references: - https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml b/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml index 2154abe9bf..189ba19231 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml @@ -14,12 +14,12 @@ known_false_positives: False positives will be generated based on normal certifi references: - https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml index 9848d0b5e4..794001b99a 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml @@ -16,12 +16,12 @@ known_false_positives: False positives will be generated based on normal certifi references: - https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml b/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml index 2c4285da56..f9f54089c2 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml @@ -14,12 +14,12 @@ known_false_positives: False positives may be present in some instances of legit references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296(v=ws.10) drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml b/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml index dd8cf7f7f2..4de9440ec6 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml @@ -14,12 +14,12 @@ known_false_positives: False positives will be generated based on normal certifi references: - https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml index e4e41b130c..2b02ca877b 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml @@ -17,12 +17,12 @@ references: - https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj - https://learn.microsoft.com/en-us/powershell/module/pki/export-certificate?view=windowsserver2022-ps drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml index 9d98df4609..c9d6971039 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml @@ -17,12 +17,12 @@ references: - https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml b/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml index 73d7d89e9d..ff9743a531 100644 --- a/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml +++ b/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml @@ -5,34 +5,13 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies the execution of the Windows OS tool - klist.exe, often used by post-exploitation tools like winpeas. This detection leverages - data from Endpoint Detection and Response (EDR) agents, focusing on process and - parent process details. Monitoring klist.exe is significant as it can indicate attempts - to list or gather cached Kerberos tickets, which are crucial for lateral movement - or privilege escalation. If confirmed malicious, this activity could enable attackers - to move laterally within the network or escalate privileges, posing a severe security - risk. +description: The following analytic identifies the execution of the Windows OS tool klist.exe, often used by post-exploitation tools like winpeas. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process details. Monitoring klist.exe is significant as it can indicate attempts to list or gather cached Kerberos tickets, which are crucial for lateral movement or privilege escalation. If confirmed malicious, this activity could enable attackers to move laterally within the network or escalate privileges, posing a severe security risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name="klist.exe" - OR Processes.original_file_name = "klist.exe" Processes.parent_process_name IN ("cmd.exe", - "powershell*") by Processes.process_name Processes.original_file_name Processes.process - Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process - Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_or_forge_kerberos_tickets_klist_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="klist.exe" OR Processes.original_file_name = "klist.exe" Processes.parent_process_name IN ("cmd.exe", "powershell*") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_or_forge_kerberos_tickets_klist_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: unknown references: - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS @@ -76,8 +55,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml index 61532100a4..514117a7b2 100644 --- a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml +++ b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1069/002/ - https://book.hacktricks.xyz/network-services-pentesting/pentesting-kerberos-88 drilldown_searches: -- name: View the detection results for $src$ and $dest$ - search: '%original_detection_search% | search src = $src$ dest = $dest$ user = $user$' +- name: View the detection results for - "$src$" and "$dest$" + search: '%original_detection_search% | search src = "$src$" dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$, $dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml index 47795fb4c8..21fd6cf2dc 100644 --- a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml +++ b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml @@ -19,12 +19,12 @@ references: - https://attack.mitre.org/techniques/T1218/001/ - https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml index 0ce7b2d406..ae8c902197 100644 --- a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml +++ b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml @@ -17,12 +17,12 @@ references: - https://securelist.com/qakbot-technical-analysis/103931/ - https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/verify-srv-dns-records-have-been-created drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_system_discovery_using_qwinsta.yml b/detections/endpoint/windows_system_discovery_using_qwinsta.yml index b1bde75c4e..26f67cd726 100644 --- a/detections/endpoint/windows_system_discovery_using_qwinsta.yml +++ b/detections/endpoint/windows_system_discovery_using_qwinsta.yml @@ -5,36 +5,14 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of "qwinsta.exe" on a Windows - operating system. This detection leverages data from Endpoint Detection and Response - (EDR) agents, focusing on process execution logs. The "qwinsta.exe" tool is significant - because it can display detailed session information on a remote desktop session - host server. This behavior is noteworthy as it is commonly abused by Qakbot malware - to gather system information and send it back to its Command and Control (C2) server. - If confirmed malicious, this activity could lead to unauthorized data exfiltration - and further compromise of the host. +description: The following analytic detects the execution of "qwinsta.exe" on a Windows operating system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. The "qwinsta.exe" tool is significant because it can display detailed session information on a remote desktop session host server. This behavior is noteworthy as it is commonly abused by Qakbot malware to gather system information and send it back to its Command and Control (C2) server. If confirmed malicious, this activity could lead to unauthorized data exfiltration and further compromise of the host. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "qwinsta.exe" - OR Processes.original_file_name = "qwinsta.exe" by Processes.parent_process Processes.parent_process_name - Processes.process_name Processes.process_id Processes.process_guid Processes.process - Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name - | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` - | `windows_system_discovery_using_qwinsta_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Administrator may execute this commandline tool for auditing - purposes. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "qwinsta.exe" OR Processes.original_file_name = "qwinsta.exe" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_qwinsta_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrator may execute this commandline tool for auditing purposes. Filter as needed. references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/qwinsta - https://securelist.com/qakbot-technical-analysis/103931/ @@ -74,8 +52,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_system_file_on_disk.yml b/detections/endpoint/windows_system_file_on_disk.yml index d4a6643542..4c11b9c8dd 100644 --- a/detections/endpoint/windows_system_file_on_disk.yml +++ b/detections/endpoint/windows_system_file_on_disk.yml @@ -5,26 +5,11 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the creation of new .sys files on disk. - It leverages the Endpoint.Filesystem data model to identify and log instances where - .sys files are written to the filesystem. This activity is significant because .sys - files are often used as kernel mode drivers, and their unauthorized creation can - indicate malicious activity such as rootkit installation. If confirmed malicious, - this could allow an attacker to gain kernel-level access, leading to full system - compromise, persistent control, and the ability to bypass security mechanisms. +description: The following analytic detects the creation of new .sys files on disk. It leverages the Endpoint.Filesystem data model to identify and log instances where .sys files are written to the filesystem. This activity is significant because .sys files are often used as kernel mode drivers, and their unauthorized creation can indicate malicious activity such as rootkit installation. If confirmed malicious, this could allow an attacker to gain kernel-level access, leading to full system compromise, persistent control, and the ability to bypass security mechanisms. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.sys*" - by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name - Filesystem.file_path Filesystem.file_hash | `drop_dm_object_name(Filesystem)` | - `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_system_file_on_disk_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on files from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. - In addition, confirm the latest CIM App 4.20 or higher is installed and the latest - TA for the endpoint product. In addition, filtering may occur by adding NOT (Filesystem.file_path - IN ("*\\Windows\\*", "*\\Program File*", "*\\systemroot\\*","%SystemRoot%*", "system32\*")). - This will level out the noise generated to potentally lead to generating notables. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.sys*" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.file_hash | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_system_file_on_disk_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on files from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. In addition, filtering may occur by adding NOT (Filesystem.file_path IN ("*\\Windows\\*", "*\\Program File*", "*\\systemroot\\*","%SystemRoot%*", "system32\*")). This will level out the noise generated to potentally lead to generating notables. known_false_positives: False positives will be present. Filter as needed. references: - https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ @@ -63,8 +48,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sysmon_sys_filemod.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sysmon_sys_filemod.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_system_logoff_commandline.yml b/detections/endpoint/windows_system_logoff_commandline.yml index 1032b956a7..d5aa78063f 100644 --- a/detections/endpoint/windows_system_logoff_commandline.yml +++ b/detections/endpoint/windows_system_logoff_commandline.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1529/ - https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml index 8034551059..080f775c36 100644 --- a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml +++ b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml @@ -18,12 +18,12 @@ references: - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml index a64bb7097f..bce973bef6 100644 --- a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml +++ b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml @@ -18,12 +18,12 @@ references: - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_system_reboot_commandline.yml b/detections/endpoint/windows_system_reboot_commandline.yml index f0c035ca12..cd8a00644e 100644 --- a/detections/endpoint/windows_system_reboot_commandline.yml +++ b/detections/endpoint/windows_system_reboot_commandline.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1529/ - https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml index 607000876e..8b40401f6e 100644 --- a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml +++ b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml @@ -17,12 +17,12 @@ references: - https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md#atomic-test-1---syncappvpublishingserver-signed-script-powershell-command-execution drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_system_shutdown_commandline.yml b/detections/endpoint/windows_system_shutdown_commandline.yml index 2ea57c8240..a86dd41d85 100644 --- a/detections/endpoint/windows_system_shutdown_commandline.yml +++ b/detections/endpoint/windows_system_shutdown_commandline.yml @@ -17,12 +17,12 @@ references: - https://attack.mitre.org/techniques/T1529/ - https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml index 642bb55aae..8dd5bb80e6 100644 --- a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml +++ b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml @@ -18,12 +18,12 @@ references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat - https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_system_user_discovery_via_quser.yml b/detections/endpoint/windows_system_user_discovery_via_quser.yml index 473864faac..e9024cae44 100644 --- a/detections/endpoint/windows_system_user_discovery_via_quser.yml +++ b/detections/endpoint/windows_system_user_discovery_via_quser.yml @@ -5,36 +5,14 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of the Windows OS tool quser.exe, - commonly used to gather information about user sessions on a Remote Desktop Session - Host server. This detection leverages data from Endpoint Detection and Response - (EDR) agents, focusing on process execution logs. Monitoring this activity is crucial - as quser.exe is often abused by post-exploitation tools like winpeas, used in ransomware - attacks to enumerate user sessions. If confirmed malicious, attackers could leverage - this information to further compromise the system, maintain persistence, or escalate - privileges. +description: The following analytic detects the execution of the Windows OS tool quser.exe, commonly used to gather information about user sessions on a Remote Desktop Session Host server. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. Monitoring this activity is crucial as quser.exe is often abused by post-exploitation tools like winpeas, used in ransomware attacks to enumerate user sessions. If confirmed malicious, attackers could leverage this information to further compromise the system, maintain persistence, or escalate privileges. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name="quser.exe" - OR Processes.original_file_name = "quser.exe" by Processes.process_name Processes.original_file_name - Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name - Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_system_user_discovery_via_quser_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: network administrator can use this command tool to audit RDP - access of user in specific network or host. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="quser.exe" OR Processes.original_file_name = "quser.exe" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_user_discovery_via_quser_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: network administrator can use this command tool to audit RDP access of user in specific network or host. references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS @@ -78,8 +56,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_system_user_privilege_discovery.yml b/detections/endpoint/windows_system_user_privilege_discovery.yml index 4af25a5d70..bf22a1a506 100644 --- a/detections/endpoint/windows_system_user_privilege_discovery.yml +++ b/detections/endpoint/windows_system_user_privilege_discovery.yml @@ -9,30 +9,10 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the execution of `whoami.exe` with the - `/priv` parameter, which displays the privileges assigned to the current user account. - It leverages data from Endpoint Detection and Response (EDR) agents, focusing on - process names and command-line executions. This activity is significant as it may - indicate an adversary attempting to enumerate user privileges, a common step in - the reconnaissance phase of an attack. If confirmed malicious, this could lead to - privilege escalation or further exploitation within the environment. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name="whoami.exe" - Processes.process= "*/priv*" by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_system_user_privilege_discovery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Administrators or power users may use this command for troubleshooting. - Filter as needed. +description: The following analytic detects the execution of `whoami.exe` with the `/priv` parameter, which displays the privileges assigned to the current user account. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an adversary attempting to enumerate user privileges, a common step in the reconnaissance phase of an attack. If confirmed malicious, this could lead to privilege escalation or further exploitation within the environment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="whoami.exe" Processes.process= "*/priv*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_user_privilege_discovery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrators or power users may use this command for troubleshooting. Filter as needed. references: - https://attack.mitre.org/techniques/T1033/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a @@ -42,8 +22,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 30 - message: Activity related to system user privilege discovery detected on $dest$ - using whoami.exe. + message: Activity related to system user privilege discovery detected on $dest$ using whoami.exe. mitre_attack_id: - T1033 observable: @@ -73,7 +52,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/whoami_priv/whoami-priv-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/whoami_priv/whoami-priv-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_terminating_lsass_process.yml b/detections/endpoint/windows_terminating_lsass_process.yml index 6d6269f3e3..b753550ec6 100644 --- a/detections/endpoint/windows_terminating_lsass_process.yml +++ b/detections/endpoint/windows_terminating_lsass_process.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_time_based_evasion.yml b/detections/endpoint/windows_time_based_evasion.yml index e85b2f1e5e..f0f25bd798 100644 --- a/detections/endpoint/windows_time_based_evasion.yml +++ b/detections/endpoint/windows_time_based_evasion.yml @@ -16,12 +16,12 @@ known_false_positives: unknown references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml index e056000196..a166d8dc41 100644 --- a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml +++ b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml @@ -17,12 +17,12 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/choice - https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml index f0aab7b87c..08783d9e3e 100644 --- a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml +++ b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml @@ -19,12 +19,12 @@ references: - https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/ - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml index a6228db1c7..6777f8dca2 100644 --- a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml +++ b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml @@ -19,12 +19,12 @@ references: - https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/ - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml index 552322ae6b..caf0e14513 100644 --- a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml +++ b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml @@ -15,12 +15,12 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/choice - https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_unsigned_dll_side_loading.yml b/detections/endpoint/windows_unsigned_dll_side_loading.yml index c41f58edb2..938fdb3eeb 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading.yml @@ -15,12 +15,12 @@ references: - https://asec.ahnlab.com/en/17692/ - https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer. drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml index 1386cabb89..392466be84 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml @@ -15,12 +15,12 @@ references: - https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html - https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml index 3f5dbe0a61..afaa7f03b5 100644 --- a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml @@ -15,12 +15,12 @@ references: - https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties - https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml index e265254f7f..4bcefdccce 100644 --- a/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml @@ -10,12 +10,12 @@ name: Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos references: - https://attack.mitre.org/techniques/T1110/003/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ search: '`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter`' diff --git a/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml index b22bb18273..69985257ed 100644 --- a/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml @@ -10,12 +10,12 @@ name: Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos references: - https://attack.mitre.org/techniques/T1110/003/ drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ search: '`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter`' diff --git a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml index ebb6dbcf1d..0857438d35 100644 --- a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml +++ b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml @@ -12,12 +12,12 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ search: '`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | rename Workstation as src |`windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`' diff --git a/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml b/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml index d7a0579171..c2668a46de 100644 --- a/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml +++ b/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml @@ -12,12 +12,12 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ search: '`wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as user by _time, Computer, Caller_User_Name | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter`' diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml index 3b028402ed..5d29cbb5e7 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml @@ -12,12 +12,12 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319109(v=ws.11) - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771 drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ search: '`wineventlog_security` EventCode=4771 TargetUserName!="*$" Status=0x18 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter`' diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml index 97241d017e..72c00ef104 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml @@ -13,12 +13,12 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ search: '`wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!="-" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, ProcessName, SubjectUserName, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by ProcessName, SubjectUserName, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_from_process_filter`' diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml index 6efc3bee1d..fb23accc7a 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml @@ -12,12 +12,12 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 drilldown_searches: -- name: View the detection results for $Workstation$ - search: '%original_detection_search% | search Workstation = $Workstation$' +- name: View the detection results for - "$Workstation$" + search: '%original_detection_search% | search Workstation = "$Workstation$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Workstation$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Workstation$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Workstation$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Workstation$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ search: '`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter`' diff --git a/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml b/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml index ca6d27fc76..0dd4119bf6 100644 --- a/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml +++ b/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml @@ -13,12 +13,12 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events drilldown_searches: -- name: View the detection results for $Computer$ - search: '%original_detection_search% | search Computer = $Computer$' +- name: View the detection results for - "$Computer$" + search: '%original_detection_search% | search Computer = "$Computer$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $Computer$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($Computer$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ search: '`wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!="-" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter`' diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml index bda352e9f4..32bdd62fbf 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml @@ -18,12 +18,12 @@ references: - https://www.varonis.com/blog/investigate-ntlm-brute-force - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f drilldown_searches: -- name: View the detection results for $src$ - search: '%original_detection_search% | search src = $src$' +- name: View the detection results for - "$src$" + search: '%original_detection_search% | search src = "$src$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml index f8dcf1d247..a15464ddbf 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml @@ -18,12 +18,12 @@ references: - https://www.varonis.com/blog/investigate-ntlm-brute-force - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f drilldown_searches: -- name: View the detection results for $user$ - search: '%original_detection_search% | search user = $user$' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml index 301a06678a..b1451a2b5a 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml @@ -18,12 +18,12 @@ references: - https://www.varonis.com/blog/investigate-ntlm-brute-force - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml index d13bfd4e95..ba01c79bac 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml @@ -18,12 +18,12 @@ references: - https://www.varonis.com/blog/investigate-ntlm-brute-force - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f drilldown_searches: -- name: View the detection results for $src$ - search: '%original_detection_search% | search src = $src$' +- name: View the detection results for - "$src$" + search: '%original_detection_search% | search src = "$src$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml index c0064f75f9..6f0f7a3b8f 100644 --- a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml +++ b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml @@ -15,12 +15,12 @@ references: - https://attack.mitre.org/techniques/T1204/002/ - https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_valid_account_with_never_expires_password.yml b/detections/endpoint/windows_valid_account_with_never_expires_password.yml index f142bb6490..1963047e00 100644 --- a/detections/endpoint/windows_valid_account_with_never_expires_password.yml +++ b/detections/endpoint/windows_valid_account_with_never_expires_password.yml @@ -17,12 +17,12 @@ references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ - https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/net-commands-on-operating-systems drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_vulnerable_3cx_software.yml b/detections/endpoint/windows_vulnerable_3cx_software.yml index 403559d918..c2d6096e0b 100644 --- a/detections/endpoint/windows_vulnerable_3cx_software.yml +++ b/detections/endpoint/windows_vulnerable_3cx_software.yml @@ -20,12 +20,12 @@ references: - https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898 - https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_vulnerable_driver_installed.yml b/detections/endpoint/windows_vulnerable_driver_installed.yml index 40028ca55f..d42e1eb3af 100644 --- a/detections/endpoint/windows_vulnerable_driver_installed.yml +++ b/detections/endpoint/windows_vulnerable_driver_installed.yml @@ -18,12 +18,12 @@ references: - https://research.splunk.com/endpoint/a2b1f1ef-221f-4187-b2a4-d4b08ec745f4/ - https://www.splunk.com/en_us/blog/security/these-are-the-drivers-you-are-looking-for-detect-and-prevent-malicious-drivers.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_vulnerable_driver_loaded.yml b/detections/endpoint/windows_vulnerable_driver_loaded.yml index 7b27196e3b..9c5a050c58 100644 --- a/detections/endpoint/windows_vulnerable_driver_loaded.yml +++ b/detections/endpoint/windows_vulnerable_driver_loaded.yml @@ -5,28 +5,12 @@ date: '2024-10-17' author: Michael Haag, Splunk status: experimental type: Hunting -description: The following analytic detects the loading of known vulnerable Windows - drivers, which may indicate potential persistence or privilege escalation attempts. - It leverages Sysmon EventCode 6 to identify driver loading events and cross-references - them with a list of vulnerable drivers. This activity is significant as attackers - often exploit vulnerable drivers to gain elevated privileges or maintain persistence - on a system. If confirmed malicious, this could allow attackers to execute arbitrary - code with high privileges, leading to further system compromise and potential data - exfiltration. +description: The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Sysmon EventCode 6 to identify driver loading events and cross-references them with a list of vulnerable drivers. This activity is significant as attackers often exploit vulnerable drivers to gain elevated privileges or maintain persistence on a system. If confirmed malicious, this could allow attackers to execute arbitrary code with high privileges, leading to further system compromise and potential data exfiltration. data_source: - - Sysmon EventID 6 -search: - "`sysmon` EventCode=6 | stats min(_time) as firstTime - max(_time) as lastTime count by dest ImageLoaded | lookup loldrivers driver_name AS ImageLoaded OUTPUT - is_driver driver_description | search is_driver = TRUE | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_vulnerable_driver_loaded_filter`" -how_to_implement: Sysmon collects driver loads via EventID 6, however you may modify - the query to utilize this lookup to identify potentially persistent drivers that - are known to be vulnerable. -known_false_positives: False positives will be present. Drill down into the driver - further by version number and cross reference by signer. Review the reference material - in the lookup. In addition, modify the query to look within specific paths, which - will remove a lot of "normal" drivers. +- Sysmon EventID 6 +search: '`sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded | lookup loldrivers driver_name AS ImageLoaded OUTPUT is_driver driver_description | search is_driver = TRUE | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_vulnerable_driver_loaded_filter`' +how_to_implement: Sysmon collects driver loads via EventID 6, however you may modify the query to utilize this lookup to identify potentially persistent drivers that are known to be vulnerable. +known_false_positives: False positives will be present. Drill down into the driver further by version number and cross reference by signer. Review the reference material in the lookup. In addition, modify the query to look within specific paths, which will remove a lot of "normal" drivers. references: - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_vuln_drivers_names.yml - https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md @@ -48,8 +32,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: An process has loaded a possible vulnerable driver on $dest$. Review and - escalate as needed. + message: An process has loaded a possible vulnerable driver on $dest$. Review and escalate as needed. mitre_attack_id: - T1543.003 observable: @@ -70,8 +53,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_windbg_spawning_autoit3.yml b/detections/endpoint/windows_windbg_spawning_autoit3.yml index f5c7758cf6..68c4441221 100644 --- a/detections/endpoint/windows_windbg_spawning_autoit3.yml +++ b/detections/endpoint/windows_windbg_spawning_autoit3.yml @@ -16,12 +16,12 @@ known_false_positives: False positives will only be present if the WinDBG proces references: - https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_winlogon_with_public_network_connection.yml b/detections/endpoint/windows_winlogon_with_public_network_connection.yml index 91ef24568c..5510abe1cc 100644 --- a/detections/endpoint/windows_winlogon_with_public_network_connection.yml +++ b/detections/endpoint/windows_winlogon_with_public_network_connection.yml @@ -7,35 +7,10 @@ status: experimental type: Hunting data_source: - Sysmon EventID 1 AND Sysmon EventID 3 -description: 'The following analytic detects instances of Winlogon.exe, a critical - Windows process, connecting to public IP addresses. This behavior is identified - using Endpoint Detection and Response (EDR) telemetry, focusing on network connections - made by Winlogon.exe. Under normal circumstances, Winlogon.exe should not connect - to public IPs, and such activity may indicate a compromise, such as the BlackLotus - bootkit attack. This detection is significant as it highlights potential system - integrity breaches. If confirmed malicious, attackers could maintain persistence, - bypass security measures, and compromise the system at a fundamental level.' -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (winlogon.exe) Processes.process!=unknown - by Processes.dest Processes.user Processes.parent_process_name Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id - [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic - where All_Traffic.dest_port != 0 NOT (All_Traffic.dest IN (127.0.0.1,10.0.0.0/8,172.16.0.0/12, - 192.168.0.0/16, 0:0:0:0:0:0:0:1)) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port - | `drop_dm_object_name(All_Traffic)` | rename dest as publicIp ] | table dest parent_process_name - process_name process_path process process_id dest_port publicIp | `windows_winlogon_with_public_network_connection_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: False positives will be present and filtering will be required. - Legitimate IPs will be present and need to be filtered. +description: The following analytic detects instances of Winlogon.exe, a critical Windows process, connecting to public IP addresses. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on network connections made by Winlogon.exe. Under normal circumstances, Winlogon.exe should not connect to public IPs, and such activity may indicate a compromise, such as the BlackLotus bootkit attack. This detection is significant as it highlights potential system integrity breaches. If confirmed malicious, attackers could maintain persistence, bypass security measures, and compromise the system at a fundamental level. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (winlogon.exe) Processes.process!=unknown by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 NOT (All_Traffic.dest IN (127.0.0.1,10.0.0.0/8,172.16.0.0/12, 192.168.0.0/16, 0:0:0:0:0:0:0:1)) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as publicIp ] | table dest parent_process_name process_name process_path process process_id dest_port publicIp | `windows_winlogon_with_public_network_connection_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives will be present and filtering will be required. Legitimate IPs will be present and need to be filtered. references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ tags: @@ -45,8 +20,7 @@ tags: atomic_guid: [] confidence: 50 impact: 50 - message: Winlogon.exe has generated a network connection to a remote destination - on endpoint $dest$. + message: Winlogon.exe has generated a network connection to a remote destination on endpoint $dest$. mitre_attack_id: - T1542.003 observable: @@ -72,7 +46,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1542.003/bootkits/network-winlogon-windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1542.003/bootkits/network-winlogon-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_wmi_impersonate_token.yml b/detections/endpoint/windows_wmi_impersonate_token.yml index 142e6d3058..0807d007a1 100644 --- a/detections/endpoint/windows_wmi_impersonate_token.yml +++ b/detections/endpoint/windows_wmi_impersonate_token.yml @@ -15,12 +15,12 @@ references: - https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/process-access.md - https://www.joesandbox.com/analysis/278341/0/html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_wmi_process_and_service_list.yml b/detections/endpoint/windows_wmi_process_and_service_list.yml index 5900448a12..a01dda2385 100644 --- a/detections/endpoint/windows_wmi_process_and_service_list.yml +++ b/detections/endpoint/windows_wmi_process_and_service_list.yml @@ -17,12 +17,12 @@ references: - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_wmi_process_call_create.yml b/detections/endpoint/windows_wmi_process_call_create.yml index dfbb198142..64d2b07654 100644 --- a/detections/endpoint/windows_wmi_process_call_create.yml +++ b/detections/endpoint/windows_wmi_process_call_create.yml @@ -5,35 +5,13 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of WMI command lines used - to create or execute processes. It leverages data from Endpoint Detection and Response - (EDR) agents, focusing on command-line events that include specific keywords like - "process," "call," and "create." This activity is significant because adversaries - often use WMI to execute malicious payloads on local or remote hosts, potentially - bypassing traditional security controls. If confirmed malicious, this behavior could - allow attackers to execute arbitrary code, escalate privileges, or maintain persistence - within the environment, posing a severe threat to organizational security. +description: The following analytic detects the execution of WMI command lines used to create or execute processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line events that include specific keywords like "process," "call," and "create." This activity is significant because adversaries often use WMI to execute malicious payloads on local or remote hosts, potentially bypassing traditional security controls. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process - = "* process *" Processes.process = "* call *" Processes.process = "* create *" - by Processes.parent_process_name Processes.parent_process Processes.process_name - Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_path - Processes.process_guid Processes.parent_process_id Processes.dest Processes.user - Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_wmi_process_call_create_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process = "* process *" Processes.process = "* call *" Processes.process = "* create *" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_call_create_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators may execute this command for testing or auditing. references: - https://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/process_creation/win_susp_wmi_execution.yml @@ -85,7 +63,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml index 6151aed2d5..60833be2c5 100644 --- a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml +++ b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml @@ -18,12 +18,12 @@ references: - https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/ - https://docs.microsoft.com/en-us/windows/win32/taskschd/time-trigger-example--scripting-?redirectedfrom=MSDN drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml index 4316e15a29..4e202ce6ca 100644 --- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml +++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml @@ -19,12 +19,12 @@ references: - https://docs.microsoft.com/en-us/windows/win32/taskschd/time-trigger-example--scripting-?redirectedfrom=MSDN - https://app.any.run/tasks/e26f1b2e-befa-483b-91d2-e18636e2faf3/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index c27d521051..72dea37014 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -5,26 +5,13 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the execution of tasks registered in Windows - Task Scheduler by monitoring EventID 200 (action run) and 201 (action completed) - from the Task Scheduler logs. This detection leverages Task Scheduler logs to identify - potentially suspicious or unauthorized task executions. Monitoring these events - is significant for a SOC as it helps uncover evasive techniques used for persistence, - unauthorized code execution, or other malicious activities. If confirmed malicious, - this activity could lead to unauthorized access, data exfiltration, or the execution - of harmful payloads, posing a significant threat to the environment. +description: The following analytic detects the execution of tasks registered in Windows Task Scheduler by monitoring EventID 200 (action run) and 201 (action completed) from the Task Scheduler logs. This detection leverages Task Scheduler logs to identify potentially suspicious or unauthorized task executions. Monitoring these events is significant for a SOC as it helps uncover evasive techniques used for persistence, unauthorized code execution, or other malicious activities. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or the execution of harmful payloads, posing a significant threat to the environment. data_source: - Windows Event Log TaskScheduler 200 - Windows Event Log TaskScheduler 201 -search: '`wineventlog_task_scheduler` EventCode IN ("200","201") | stats count min(_time) - as firstTime max(_time) as lastTime by TaskName dest EventCode | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `winevent_windows_task_scheduler_event_action_started_filter`' -how_to_implement: Task Scheduler logs are required to be collected. Enable logging - with inputs.conf by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] - and renderXml=false. Note, not translating it in XML may require a proper extraction - of specific items in the Message. -known_false_positives: False positives will be present. Filter based on ActionName - paths or specify keywords of interest. +search: '`wineventlog_task_scheduler` EventCode IN ("200","201") | stats count min(_time) as firstTime max(_time) as lastTime by TaskName dest EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_windows_task_scheduler_event_action_started_filter`' +how_to_implement: Task Scheduler logs are required to be collected. Enable logging with inputs.conf by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] and renderXml=false. Note, not translating it in XML may require a proper extraction of specific items in the Message. +known_false_positives: False positives will be present. Filter based on ActionName paths or specify keywords of interest. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ diff --git a/detections/endpoint/winhlp32_spawning_a_process.yml b/detections/endpoint/winhlp32_spawning_a_process.yml index 77c9766e9f..c69dc86ece 100644 --- a/detections/endpoint/winhlp32_spawning_a_process.yml +++ b/detections/endpoint/winhlp32_spawning_a_process.yml @@ -18,12 +18,12 @@ references: - https://tria.ge/210929-ap75vsddan - https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89 drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/winrar_spawning_shell_application.yml b/detections/endpoint/winrar_spawning_shell_application.yml index d662a7b37d..6f6d816cfa 100644 --- a/detections/endpoint/winrar_spawning_shell_application.yml +++ b/detections/endpoint/winrar_spawning_shell_application.yml @@ -18,12 +18,12 @@ references: - https://github.com/BoredHackerBlog/winrar_CVE-2023-38831_lazy_poc - https://github.com/b1tg/CVE-2023-38831-winrar-exploit drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/winrm_spawning_a_process.yml b/detections/endpoint/winrm_spawning_a_process.yml index 5ed8d04b27..82df49e04d 100644 --- a/detections/endpoint/winrm_spawning_a_process.yml +++ b/detections/endpoint/winrm_spawning_a_process.yml @@ -5,34 +5,14 @@ date: '2024-10-17' author: Drew Church, Michael Haag, Splunk status: experimental type: TTP -description: The following analytic detects suspicious processes spawned by WinRM - (wsmprovhost.exe). It leverages data from Endpoint Detection and Response (EDR) - agents, focusing on specific child processes like cmd.exe, powershell.exe, and others. - This activity is significant as it may indicate exploitation attempts of vulnerabilities - like CVE-2021-31166, which could lead to system instability or compromise. If confirmed - malicious, attackers could execute arbitrary commands, escalate privileges, or maintain - persistence, posing a severe threat to the environment. +description: The following analytic detects suspicious processes spawned by WinRM (wsmprovhost.exe). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific child processes like cmd.exe, powershell.exe, and others. This activity is significant as it may indicate exploitation attempts of vulnerabilities like CVE-2021-31166, which could lead to system instability or compromise. If confirmed malicious, attackers could execute arbitrary commands, escalate privileges, or maintain persistence, posing a severe threat to the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wsmprovhost.exe - Processes.process_name IN ("cmd.exe","sh.exe","bash.exe","powershell.exe","pwsh.exe","schtasks.exe","certutil.exe","whoami.exe","bitsadmin.exe","scp.exe") - by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrm_spawning_a_process_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Unknown. Add new processes or filter as needed. It is possible - system management software may spawn processes from `wsmprovhost.exe`. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wsmprovhost.exe Processes.process_name IN ("cmd.exe","sh.exe","bash.exe","powershell.exe","pwsh.exe","schtasks.exe","certutil.exe","whoami.exe","bitsadmin.exe","scp.exe") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrm_spawning_a_process_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Unknown. Add new processes or filter as needed. It is possible system management software may spawn processes from `wsmprovhost.exe`. references: - https://github.com/SigmaHQ/sigma/blob/9b7fb0c0f3af2e53ed483e29e0d0f88ccf1c08ca/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml - https://www.zerodayinitiative.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsys diff --git a/detections/endpoint/winword_spawning_cmd.yml b/detections/endpoint/winword_spawning_cmd.yml index 53e8b6afee..d1cf7bdc45 100644 --- a/detections/endpoint/winword_spawning_cmd.yml +++ b/detections/endpoint/winword_spawning_cmd.yml @@ -16,12 +16,12 @@ known_false_positives: False positives should be limited, but if any are present references: - https://app.any.run/tasks/73af0064-a785-4c0a-ab0d-cde593fe16ef/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/winword_spawning_powershell.yml b/detections/endpoint/winword_spawning_powershell.yml index 889b74bd47..47c68b2e53 100644 --- a/detections/endpoint/winword_spawning_powershell.yml +++ b/detections/endpoint/winword_spawning_powershell.yml @@ -19,12 +19,12 @@ references: - https://app.any.run/tasks/b79fa381-f35c-4b3e-8d02-507e7ee7342f/ - https://app.any.run/tasks/181ac90b-0898-4631-8701-b778a30610ad/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/winword_spawning_windows_script_host.yml b/detections/endpoint/winword_spawning_windows_script_host.yml index 1f0b31c723..7c73358d65 100644 --- a/detections/endpoint/winword_spawning_windows_script_host.yml +++ b/detections/endpoint/winword_spawning_windows_script_host.yml @@ -16,12 +16,12 @@ known_false_positives: There will be limited false positives and it will be diff references: - https://attack.mitre.org/techniques/T1566/001/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/wmi_permanent_event_subscription.yml b/detections/endpoint/wmi_permanent_event_subscription.yml index 7a4b4e27f6..f33ec6f8d9 100644 --- a/detections/endpoint/wmi_permanent_event_subscription.yml +++ b/detections/endpoint/wmi_permanent_event_subscription.yml @@ -5,19 +5,11 @@ date: '2024-10-17' author: Rico Valdez, Splunk status: experimental type: TTP -description: |- - The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI). It leverages Sysmon EventID 5 data to identify instances where the event consumers are not the expected "NTEventLogEventConsumer." This activity is significant because it suggests an attacker is attempting to achieve persistence by running malicious scripts or binaries in response to specific system events. If confirmed malicious, this could lead to severe impacts such as data theft, ransomware deployment, or other damaging outcomes. Investigate the associated scripts or binaries to identify the source of the attack. +description: The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI). It leverages Sysmon EventID 5 data to identify instances where the event consumers are not the expected "NTEventLogEventConsumer." This activity is significant because it suggests an attacker is attempting to achieve persistence by running malicious scripts or binaries in response to specific system events. If confirmed malicious, this could lead to severe impacts such as data theft, ransomware deployment, or other damaging outcomes. Investigate the associated scripts or binaries to identify the source of the attack. data_source: [] -search: '`wmi` EventCode=5861 Binding | rex field=Message "Consumer =\s+(?[^;|^$]+)" - | search consumer!="NTEventLogEventConsumer=\"SCM Event Log Consumer\"" | stats - count min(_time) as firstTime max(_time) as lastTime by ComputerName, consumer, - Message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | rename ComputerName as dest | `wmi_permanent_event_subscription_filter`' -how_to_implement: To successfully implement this search, you must be ingesting the - Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on - the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. -known_false_positives: Although unlikely, administrators may use event subscriptions - for legitimate purposes. +search: '`wmi` EventCode=5861 Binding | rex field=Message "Consumer =\s+(?[^;|^$]+)" | search consumer!="NTEventLogEventConsumer=\"SCM Event Log Consumer\"" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, consumer, Message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | rename ComputerName as dest | `wmi_permanent_event_subscription_filter`' +how_to_implement: To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. +known_false_positives: Although unlikely, administrators may use event subscriptions for legitimate purposes. references: [] tags: analytic_story: diff --git a/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml b/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml index 86a31e9e13..9ade701b1b 100644 --- a/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml +++ b/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml @@ -17,12 +17,12 @@ references: - https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md - https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/wmi_recon_running_process_or_services.yml b/detections/endpoint/wmi_recon_running_process_or_services.yml index c868413399..44fc4a3608 100644 --- a/detections/endpoint/wmi_recon_running_process_or_services.yml +++ b/detections/endpoint/wmi_recon_running_process_or_services.yml @@ -17,12 +17,12 @@ references: - https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md - https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/wmi_temporary_event_subscription.yml b/detections/endpoint/wmi_temporary_event_subscription.yml index ff2d0d8f70..c37ca459ca 100644 --- a/detections/endpoint/wmi_temporary_event_subscription.yml +++ b/detections/endpoint/wmi_temporary_event_subscription.yml @@ -5,28 +5,11 @@ date: '2024-10-17' author: Rico Valdez, Splunk status: experimental type: TTP -description: "The following analytic detects the creation of WMI temporary event subscriptions. - It leverages Windows Event Logs, specifically EventCode 5860, to identify these - activities. This detection is significant because attackers often use WMI to execute - commands, gather information, or maintain persistence within a compromised system. - If confirmed malicious, this activity could allow an attacker to execute arbitrary - code, escalate privileges, or persist in the environment. Analysts should review - the specific WMI queries and assess their intent, considering potential false positives - from legitimate administrative tasks." +description: The following analytic detects the creation of WMI temporary event subscriptions. It leverages Windows Event Logs, specifically EventCode 5860, to identify these activities. This detection is significant because attackers often use WMI to execute commands, gather information, or maintain persistence within a compromised system. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, escalate privileges, or persist in the environment. Analysts should review the specific WMI queries and assess their intent, considering potential false positives from legitimate administrative tasks. data_source: [] -search: '`wmi` EventCode=5860 Temporary | rex field=Message "NotificationQuery =\s+(?[^;|^$]+)" - | search query!="SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = ''wsmprovhost.exe''" - AND query!="SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA ''AntiVirusProduct'' - OR TargetInstance ISA ''FirewallProduct'' OR TargetInstance ISA ''AntiSpywareProduct''" - | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, query | - `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmi_temporary_event_subscription_filter`' -how_to_implement: To successfully implement this search, you must be ingesting the - Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on - the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. -known_false_positives: Some software may create WMI temporary event subscriptions - for various purposes. The included search contains an exception for two of these - that occur by default on Windows 10 systems. You may need to modify the search to - create exceptions for other legitimate events. +search: '`wmi` EventCode=5860 Temporary | rex field=Message "NotificationQuery =\s+(?[^;|^$]+)" | search query!="SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = ''wsmprovhost.exe''" AND query!="SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA ''AntiVirusProduct'' OR TargetInstance ISA ''FirewallProduct'' OR TargetInstance ISA ''AntiSpywareProduct''" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, query | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmi_temporary_event_subscription_filter`' +how_to_implement: To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. +known_false_positives: Some software may create WMI temporary event subscriptions for various purposes. The included search contains an exception for two of these that occur by default on Windows 10 systems. You may need to modify the search to create exceptions for other legitimate events. references: [] tags: analytic_story: diff --git a/detections/endpoint/wmic_group_discovery.yml b/detections/endpoint/wmic_group_discovery.yml index 4699165a1b..e16b5a8384 100644 --- a/detections/endpoint/wmic_group_discovery.yml +++ b/detections/endpoint/wmic_group_discovery.yml @@ -5,33 +5,13 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: 'The following analytic identifies the use of `wmic.exe` to enumerate - local groups on an endpoint. This detection leverages data from Endpoint Detection - and Response (EDR) agents, focusing on process execution logs, including command-line - details. Monitoring this activity is significant as it can indicate reconnaissance - efforts by an attacker to understand group memberships, which could be a precursor - to privilege escalation or lateral movement. If confirmed malicious, this activity - could allow an attacker to map out privileged groups, aiding in further exploitation - and persistence within the environment.' +description: The following analytic identifies the use of `wmic.exe` to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs, including command-line details. Monitoring this activity is significant as it can indicate reconnaissance efforts by an attacker to understand group memberships, which could be a precursor to privilege escalation or lateral movement. If confirmed malicious, this activity could allow an attacker to map out privileged groups, aiding in further exploitation and persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe - (Processes.process="*group get name*") by Processes.dest Processes.user Processes.parent_process_name - Processes.process_name Processes.process Processes.original_file_name Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `wmic_group_discovery_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe (Processes.process="*group get name*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmic_group_discovery_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: - https://attack.mitre.org/techniques/T1069/001/ @@ -77,7 +57,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/wmic_noninteractive_app_uninstallation.yml b/detections/endpoint/wmic_noninteractive_app_uninstallation.yml index 5c00357ba3..5c1cdf4d3c 100644 --- a/detections/endpoint/wmic_noninteractive_app_uninstallation.yml +++ b/detections/endpoint/wmic_noninteractive_app_uninstallation.yml @@ -5,36 +5,14 @@ date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies the use of the WMIC command-line tool - attempting to uninstall applications non-interactively. It leverages data from Endpoint - Detection and Response (EDR) agents, focusing on specific command-line patterns - associated with WMIC. This activity is significant because it is uncommon and may - indicate an attempt to evade detection by uninstalling security software, as seen - in IcedID malware campaigns. If confirmed malicious, this behavior could allow an - attacker to disable security defenses, facilitating further compromise and persistence - within the environment. +description: The following analytic identifies the use of the WMIC command-line tool attempting to uninstall applications non-interactively. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with WMIC. This activity is significant because it is uncommon and may indicate an attempt to evade detection by uninstalling security software, as seen in IcedID malware campaigns. If confirmed malicious, this behavior could allow an attacker to disable security defenses, facilitating further compromise and persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe - Processes.process="* product *" Processes.process="*where name*" Processes.process="*call - uninstall*" Processes.process="*/nointeractive*" by Processes.dest Processes.user - Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name - Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_noninteractive_app_uninstallation_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Third party application may use this approach to uninstall - applications. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe Processes.process="* product *" Processes.process="*where name*" Processes.process="*call uninstall*" Processes.process="*/nointeractive*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_noninteractive_app_uninstallation_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Third party application may use this approach to uninstall applications. references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ tags: @@ -44,8 +22,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Wmic $process_name$ with command-line $process$ on $dest$ attempting to - uninstall software. + message: Wmic $process_name$ with command-line $process$ on $dest$ attempting to uninstall software. mitre_attack_id: - T1562.001 - T1562 @@ -84,7 +61,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon2.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/wmic_xsl_execution_via_url.yml b/detections/endpoint/wmic_xsl_execution_via_url.yml index a69f1dd325..85e115116d 100644 --- a/detections/endpoint/wmic_xsl_execution_via_url.yml +++ b/detections/endpoint/wmic_xsl_execution_via_url.yml @@ -18,12 +18,12 @@ references: - https://web.archive.org/web/20190814201250/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md#atomic-test-4---wmic-bypass-using-remote-xsl-file drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml b/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml index 6c53e39bf9..e653bce937 100644 --- a/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml @@ -18,12 +18,12 @@ references: - https://www.ired.team/offensive-security/lateral-movement/t1047-wmi-for-lateral-movement - https://lolbas-project.github.io/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml index c776661c60..5a53dd8b43 100644 --- a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml +++ b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml @@ -17,12 +17,12 @@ references: - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120 - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ drilldown_searches: -- name: View the detection results for $dest$ and $user$ - search: '%original_detection_search% | search dest = $dest$ user = $user$' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml index 54ded586b5..6dc9deab8d 100644 --- a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml @@ -18,12 +18,12 @@ references: - https://lolbas-project.github.io/ - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/wsreset_uac_bypass.yml b/detections/endpoint/wsreset_uac_bypass.yml index b9ed2bc9d9..45f8700407 100644 --- a/detections/endpoint/wsreset_uac_bypass.yml +++ b/detections/endpoint/wsreset_uac_bypass.yml @@ -16,12 +16,12 @@ references: - https://github.com/hfiref0x/UACME - https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/xmrig_driver_loaded.yml b/detections/endpoint/xmrig_driver_loaded.yml index a4a580b1f9..1dd153b452 100644 --- a/detections/endpoint/xmrig_driver_loaded.yml +++ b/detections/endpoint/xmrig_driver_loaded.yml @@ -14,12 +14,12 @@ known_false_positives: False positives should be limited. references: - https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/xsl_script_execution_with_wmic.yml b/detections/endpoint/xsl_script_execution_with_wmic.yml index f74dfca1be..bca6ec1e2a 100644 --- a/detections/endpoint/xsl_script_execution_with_wmic.yml +++ b/detections/endpoint/xsl_script_execution_with_wmic.yml @@ -19,12 +19,12 @@ references: - https://web.archive.org/web/20190814201250/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md#atomic-test-3---wmic-bypass-using-local-xsl-file drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/network/detect_arp_poisoning.yml b/detections/network/detect_arp_poisoning.yml index df60d73547..4273b605a3 100644 --- a/detections/network/detect_arp_poisoning.yml +++ b/detections/network/detect_arp_poisoning.yml @@ -5,30 +5,11 @@ date: '2024-10-17' author: Mikael Bjerkeland, Splunk status: experimental type: TTP -description: The following analytic detects ARP Poisoning attacks by monitoring for - Dynamic ARP Inspection (DAI) errors on Cisco network devices. It leverages logs - from Cisco devices, specifically looking for events where the ARP inspection feature - has disabled an interface due to suspicious activity. This activity is significant - because ARP Poisoning can allow attackers to intercept, modify, or disrupt network - traffic, leading to potential data breaches or denial of service. If confirmed malicious, - this could enable attackers to perform man-in-the-middle attacks, compromising the - integrity and confidentiality of network communications. +description: The following analytic detects ARP Poisoning attacks by monitoring for Dynamic ARP Inspection (DAI) errors on Cisco network devices. It leverages logs from Cisco devices, specifically looking for events where the ARP inspection feature has disabled an interface due to suspicious activity. This activity is significant because ARP Poisoning can allow attackers to intercept, modify, or disrupt network traffic, leading to potential data breaches or denial of service. If confirmed malicious, this could enable attackers to perform man-in-the-middle attacks, compromising the integrity and confidentiality of network communications. data_source: [] -search: '`cisco_networks` facility="PM" mnemonic="ERR_DISABLE" disable_cause="arp-inspection" - | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime - max(_time) AS lastTime count BY host src_interface | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| - `detect_arp_poisoning_filter`' -how_to_implement: This search uses a standard SPL query on logs from Cisco Network - devices. The network devices must be configured with DHCP Snooping (see - https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) - and Dynamic ARP Inspection (see - https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_01111.html) - and log with a severity level of minimum "5 - notification". The search also requires - that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) - is used to parse the logs from the Cisco network devices. -known_false_positives: This search might be prone to high false positives if DHCP - Snooping or ARP inspection has been incorrectly configured, or if a device normally - sends many ARP packets (unlikely). +search: '`cisco_networks` facility="PM" mnemonic="ERR_DISABLE" disable_cause="arp-inspection" | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime count BY host src_interface | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_arp_poisoning_filter`' +how_to_implement: This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and Dynamic ARP Inspection (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_01111.html) and log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. +known_false_positives: This search might be prone to high false positives if DHCP Snooping or ARP inspection has been incorrectly configured, or if a device normally sends many ARP packets (unlikely). references: [] tags: analytic_story: diff --git a/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml b/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml index bad994321f..4ea1f1f9c7 100644 --- a/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml @@ -5,50 +5,27 @@ date: '2024-10-17' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk status: experimental type: Anomaly -description: The following analytic identifies Domain Generation Algorithm (DGA) generated - domains using a pre-trained deep learning model. It leverages the Network Resolution - data model to analyze domain names and detect unusual character sequences indicative - of DGA activity. This behavior is significant as adversaries often use DGAs to generate - numerous domain names for command-and-control servers, making it harder to block - malicious traffic. If confirmed malicious, this activity could enable attackers - to maintain persistent communication with compromised systems, evade detection, - and execute further malicious actions. +description: The following analytic identifies Domain Generation Algorithm (DGA) generated domains using a pre-trained deep learning model. It leverages the Network Resolution data model to analyze domain names and detect unusual character sequences indicative of DGA activity. This behavior is significant as adversaries often use DGAs to generate numerous domain names for command-and-control servers, making it harder to block malicious traffic. If confirmed malicious, this activity could enable attackers to maintain persistent communication with compromised systems, evade detection, and execute further malicious actions. data_source: [] -search: '| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) - as firstTime max(_time) as lastTime from datamodel=Network_Resolution by DNS.src, - DNS.query | `drop_dm_object_name(DNS)` | rename query AS domain | fields IPs, src, - domain, firstTime, lastTime | apply pretrained_dga_model_dsdl | rename pred_dga_proba - AS dga_score | where dga_score>0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | table src, domain, IPs, firstTime, lastTime, dga_score | `detect_dga_domains_using_pretrained_model_in_dsdl_filter`' -how_to_implement: 'Steps to deploy DGA detection model into Splunk App DSDL.\ This - detection depends on the Splunk app for Data Science and Deep Learning which can - be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution - datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The - detection uses a pre-trained deep learning model that needs to be deployed in DSDL - app. Follow the steps for deployment here - https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU. - * Download the artifacts .tar.gz file from the link `https://seal.splunkresearch.com/pretrained_dga_model_dsdl.tar.gz` +search: '| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | rename query AS domain | fields IPs, src, domain, firstTime, lastTime | apply pretrained_dga_model_dsdl | rename pred_dga_proba AS dga_score | where dga_score>0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, domain, IPs, firstTime, lastTime, dga_score | `detect_dga_domains_using_pretrained_model_in_dsdl_filter`' +how_to_implement: 'Steps to deploy DGA detection model into Splunk App DSDL.\ This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU. * Download the artifacts .tar.gz file from the link `https://seal.splunkresearch.com/pretrained_dga_model_dsdl.tar.gz` * Download the pretrained_dga_model_dsdl.ipynb Jupyter notebook from `https://github.com/splunk/security_content/notebooks` - * Login to the Jupyter Lab for pretrained_dga_model_dsdl container. This container - should be listed on Containers page for DSDL app. + * Login to the Jupyter Lab for pretrained_dga_model_dsdl container. This container should be listed on Containers page for DSDL app. * Below steps need to be followed inside Jupyter lab - * Upload the pretrained_dga_model_dsdl.tar.gz file into `app/model/data` path using - the upload option in the jupyter notebook. + * Upload the pretrained_dga_model_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook. - * Untar the artifact `pretrained_dga_model_dsdl.tar.gz` using `tar -xf app/model/data/pretrained_dga_model_dsdl.tar.gz - -C app/model/data` + * Untar the artifact `pretrained_dga_model_dsdl.tar.gz` using `tar -xf app/model/data/pretrained_dga_model_dsdl.tar.gz -C app/model/data` - * Upload `pretrained_dga_model_dsdl.pynb` into Jupyter lab notebooks folder using - the upload option in Jupyter lab + * Upload `pretrained_dga_model_dsdl.pynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab * Save the notebook using the save option in jupyter notebook. * Upload `pretrained_dga_model_dsdl.json` into `notebooks/data` folder.' -known_false_positives: False positives may be present if domain name is similar to - dga generated domains. +known_false_positives: False positives may be present if domain name is similar to dga generated domains. references: - https://attack.mitre.org/techniques/T1568/002/ - https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/ @@ -63,8 +40,7 @@ tags: asset_type: Endpoint confidence: 90 impact: 70 - message: A potential connection to a DGA domain $domain$ was detected from host - $src$, kindly review. + message: A potential connection to a DGA domain $domain$ was detected from host $src$, kindly review. mitre_attack_id: - T1568.002 observable: diff --git a/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml b/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml index 12e1b143cb..e5a6b2fd24 100644 --- a/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml @@ -6,43 +6,10 @@ status: experimental author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk type: Anomaly data_source: [] -description: The following analytic identifies potential DNS data exfiltration using - a pre-trained deep learning model. It leverages DNS request data from the Network - Resolution datamodel and computes features from past events between the same source - and domain. The model generates a probability score (pred_is_exfiltration_proba) - indicating the likelihood of data exfiltration. This activity is significant as - DNS tunneling can be used by attackers to covertly exfiltrate sensitive data. If - confirmed malicious, this could lead to unauthorized data access and potential data - breaches, compromising the organization's security posture. -search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution - by DNS.src _time DNS.query | `drop_dm_object_name("DNS")` | sort - _time,src, query - | streamstats count as rank by src query | where rank < 10 | table src,query,rank,_time - | apply detect_dns_data_exfiltration_using_pretrained_model_in_dsdl | table src,_time,query,rank,pred_is_dns_data_exfiltration_proba,pred_is_dns_data_exfiltration - | where rank == 1 | rename pred_is_dns_data_exfiltration_proba as is_exfiltration_score - | rename pred_is_dns_data_exfiltration as is_exfiltration | where is_exfiltration_score - > 0.5 | `security_content_ctime(_time)` | table src, _time,query,is_exfiltration_score,is_exfiltration - | `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter`' -how_to_implement: "Steps to deploy detect DNS data exfiltration model into Splunk - App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning - which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network - Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. - The detection uses a pre-trained deep learning model that needs to be deployed in - DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\n - * Download the `artifacts .tar.gz` file from the link - https://seal.splunkresearch.com/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz - Download the `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.ipynb` - Jupyter notebook from https://github.com/splunk/security_content/notebooks\n* Login - to the Jupyter Lab assigned for detect_dns_data_exfiltration_using_pretrained_model_in_dsdl - container. This container should be listed on Containers page for DSDL app.\n* Below - steps need to be followed inside Jupyter lab\n* Upload the detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz - file into `app/model/data` path using the upload option in the jupyter notebook.\n - * Untar the artifact detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz - using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz - -C app/model/data`\n* Upload detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.pynb - into Jupyter lab notebooks folder using the upload option in Jupyter lab\n* Save - the notebook using the save option in jupyter notebook.\n* Upload `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.json` - into `notebooks/data` folder." -known_false_positives: False positives may be present if DNS data exfiltration request - look very similar to benign DNS requests. +description: The following analytic identifies potential DNS data exfiltration using a pre-trained deep learning model. It leverages DNS request data from the Network Resolution datamodel and computes features from past events between the same source and domain. The model generates a probability score (pred_is_exfiltration_proba) indicating the likelihood of data exfiltration. This activity is significant as DNS tunneling can be used by attackers to covertly exfiltrate sensitive data. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising the organization's security posture. +search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.src _time DNS.query | `drop_dm_object_name("DNS")` | sort - _time,src, query | streamstats count as rank by src query | where rank < 10 | table src,query,rank,_time | apply detect_dns_data_exfiltration_using_pretrained_model_in_dsdl | table src,_time,query,rank,pred_is_dns_data_exfiltration_proba,pred_is_dns_data_exfiltration | where rank == 1 | rename pred_is_dns_data_exfiltration_proba as is_exfiltration_score | rename pred_is_dns_data_exfiltration as is_exfiltration | where is_exfiltration_score > 0.5 | `security_content_ctime(_time)` | table src, _time,query,is_exfiltration_score,is_exfiltration | `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter`' +how_to_implement: "Steps to deploy detect DNS data exfiltration model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\n * Download the `artifacts .tar.gz` file from the link - https://seal.splunkresearch.com/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz Download the `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from https://github.com/splunk/security_content/notebooks\n* Login to the Jupyter Lab assigned for detect_dns_data_exfiltration_using_pretrained_model_in_dsdl container. This container should be listed on Containers page for DSDL app.\n* Below steps need to be followed inside Jupyter lab\n* Upload the detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook.\n * Untar the artifact detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data`\n* Upload detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.pynb into Jupyter lab notebooks folder using the upload option in Jupyter lab\n* Save the notebook using the save option in jupyter notebook.\n* Upload `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder." +known_false_positives: False positives may be present if DNS data exfiltration request look very similar to benign DNS requests. references: - https://attack.mitre.org/techniques/T1048/003/ - https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/ diff --git a/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml b/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml index 56354c07df..2aa4f9b20f 100644 --- a/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml +++ b/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml @@ -23,12 +23,12 @@ how_to_implement: 'First, you''ll need to ingest data from your DNS operations. known_false_positives: Some users and applications may leverage Dynamic DNS to reach out to some domains on the Internet since dynamic DNS by itself is not malicious, however this activity must be verified. references: [] drilldown_searches: -- name: View the detection results for $host$ - search: '%original_detection_search% | search host = $host$' +- name: View the detection results for - "$host$" + search: '%original_detection_search% | search host = "$host$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $host$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$host$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/network/detect_ipv6_network_infrastructure_threats.yml b/detections/network/detect_ipv6_network_infrastructure_threats.yml index b1dfa36b47..139bd9c2f3 100644 --- a/detections/network/detect_ipv6_network_infrastructure_threats.yml +++ b/detections/network/detect_ipv6_network_infrastructure_threats.yml @@ -5,29 +5,10 @@ date: '2024-10-17' author: Mikael Bjerkeland, Splunk status: experimental type: TTP -description: The following analytic detects IPv6 network infrastructure threats by - identifying suspicious activities such as IP and MAC address theft or packet drops. - It leverages logs from Cisco network devices configured with First Hop Security - measures like RA Guard and DHCP Guard. This activity is significant as it can indicate - attempts to compromise network integrity and security. If confirmed malicious, attackers - could manipulate network traffic, leading to potential data interception, unauthorized - access, or network disruption. +description: The following analytic detects IPv6 network infrastructure threats by identifying suspicious activities such as IP and MAC address theft or packet drops. It leverages logs from Cisco network devices configured with First Hop Security measures like RA Guard and DHCP Guard. This activity is significant as it can indicate attempts to compromise network integrity and security. If confirmed malicious, attackers could manipulate network traffic, leading to potential data interception, unauthorized access, or network disruption. data_source: [] -search: '`cisco_networks` facility="SISF" mnemonic IN ("IP_THEFT","MAC_THEFT","MAC_AND_IP_THEFT","PAK_DROP") - | eval src_interface=src_int_prefix_long+src_int_suffix | eval dest_interface=dest_int_prefix_long+dest_int_suffix - | stats min(_time) AS firstTime max(_time) AS lastTime values(src_mac) AS src_mac - values(src_vlan) AS src_vlan values(mnemonic) AS mnemonic values(vendor_explanation) - AS vendor_explanation values(src_ip) AS src_ip values(dest_ip) AS dest_ip values(dest_interface) - AS dest_interface values(action) AS action count BY host src_interface | table host - src_interface dest_interface src_mac src_ip dest_ip src_vlan mnemonic vendor_explanation - action count | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` - | `detect_ipv6_network_infrastructure_threats_filter`' -how_to_implement: This search uses a standard SPL query on logs from Cisco Network - devices. The network devices must be configured with one or more First Hop Security - measures such as RA Guard, DHCP Guard and/or device tracking. See References for - more information. The search also requires that the Cisco Networks Add-on for Splunk - (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco - network devices. +search: '`cisco_networks` facility="SISF" mnemonic IN ("IP_THEFT","MAC_THEFT","MAC_AND_IP_THEFT","PAK_DROP") | eval src_interface=src_int_prefix_long+src_int_suffix | eval dest_interface=dest_int_prefix_long+dest_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime values(src_mac) AS src_mac values(src_vlan) AS src_vlan values(mnemonic) AS mnemonic values(vendor_explanation) AS vendor_explanation values(src_ip) AS src_ip values(dest_ip) AS dest_ip values(dest_interface) AS dest_interface values(action) AS action count BY host src_interface | table host src_interface dest_interface src_mac src_ip dest_ip src_vlan mnemonic vendor_explanation action count | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detect_ipv6_network_infrastructure_threats_filter`' +how_to_implement: This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with one or more First Hop Security measures such as RA Guard, DHCP Guard and/or device tracking. See References for more information. The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. known_false_positives: None currently known references: - https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3200.pdf diff --git a/detections/network/detect_large_outbound_icmp_packets.yml b/detections/network/detect_large_outbound_icmp_packets.yml index d050dddd88..fca5de51be 100644 --- a/detections/network/detect_large_outbound_icmp_packets.yml +++ b/detections/network/detect_large_outbound_icmp_packets.yml @@ -5,38 +5,11 @@ date: '2024-10-17' author: Rico Valdez, Splunk status: experimental type: TTP -description: The following analytic identifies outbound ICMP packets with a size larger - than 1,000 bytes. It leverages the Network_Traffic data model to detect unusually - large ICMP packets that are not blocked and are destined for external IP addresses. - This activity is significant because threat actors often use ICMP for command and - control communication, and large ICMP packets can indicate data exfiltration or - other malicious activities. If confirmed malicious, this could allow attackers to - maintain covert communication channels, exfiltrate sensitive data, or further compromise - the network. +description: The following analytic identifies outbound ICMP packets with a size larger than 1,000 bytes. It leverages the Network_Traffic data model to detect unusually large ICMP packets that are not blocked and are destined for external IP addresses. This activity is significant because threat actors often use ICMP for command and control communication, and large ICMP packets can indicate data exfiltration or other malicious activities. If confirmed malicious, this could allow attackers to maintain covert communication channels, exfiltrate sensitive data, or further compromise the network. data_source: [] -search: '| tstats `security_content_summariesonly` count earliest(_time) as firstTime - latest(_time) as lastTime values(All_Traffic.action) values(All_Traffic.bytes) from - datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category - !=internal (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) All_Traffic.bytes - > 1000 by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name("All_Traffic")` - | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) - | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_large_outbound_icmp_packets_filter`' -how_to_implement: 'In order to run this search effectively, we highly recommend that - you leverage the Assets and Identity framework. It is important that you have a - good understanding of how your network segments are designed and that you are able - to distinguish internal from external address space. Add a category named `internal` - to the CIDRs that host the company''s assets in the `assets_by_cidr.csv` lookup - file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`. - More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. - This search also requires you to be ingesting your network traffic and populating - the Network_Traffic data model' -known_false_positives: ICMP packets are used in a variety of ways to help troubleshoot - networking issues and ensure the proper flow of traffic. As such, it is possible - that a large ICMP packet could be perfectly legitimate. If large ICMP packets are - associated with Command And Control traffic, there will typically be a large number - of these packets observed over time. If the search is providing a large number of - false positives, you can modify the macro `detect_large_outbound_icmp_packets_filter` - to adjust the byte threshold or add specific IP addresses to an allow list. +search: '| tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) values(All_Traffic.bytes) from datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) All_Traffic.bytes > 1000 by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name("All_Traffic")` | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_large_outbound_icmp_packets_filter`' +how_to_implement: 'In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have a good understanding of how your network segments are designed and that you are able to distinguish internal from external address space. Add a category named `internal` to the CIDRs that host the company''s assets in the `assets_by_cidr.csv` lookup file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`. More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model' +known_false_positives: ICMP packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. As such, it is possible that a large ICMP packet could be perfectly legitimate. If large ICMP packets are associated with Command And Control traffic, there will typically be a large number of these packets observed over time. If the search is providing a large number of false positives, you can modify the macro `detect_large_outbound_icmp_packets_filter` to adjust the byte threshold or add specific IP addresses to an allow list. references: [] tags: analytic_story: diff --git a/detections/network/detect_outbound_ldap_traffic.yml b/detections/network/detect_outbound_ldap_traffic.yml index d0303e9b5d..44b24ed199 100644 --- a/detections/network/detect_outbound_ldap_traffic.yml +++ b/detections/network/detect_outbound_ldap_traffic.yml @@ -5,26 +5,12 @@ date: '2024-10-17' author: Bhavin Patel, Johan Bjerke, Splunk status: production type: Hunting -description: The following analytic identifies outbound LDAP traffic to external IP - addresses. It leverages the Network_Traffic data model to detect connections on - ports 389 or 636 that are not directed to private IP ranges (RFC1918). This activity - is significant because outbound LDAP traffic can indicate potential data exfiltration - or unauthorized access attempts. If confirmed malicious, attackers could exploit - this to access sensitive directory information, leading to data breaches or further - network compromise. +description: The following analytic identifies outbound LDAP traffic to external IP addresses. It leverages the Network_Traffic data model to detect connections on ports 389 or 636 that are not directed to private IP ranges (RFC1918). This activity is significant because outbound LDAP traffic can indicate potential data exfiltration or unauthorized access attempts. If confirmed malicious, attackers could exploit this to access sensitive directory information, leading to data breaches or further network compromise. data_source: - Bro -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.dest_ip) - as dest_ip from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port - = 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip = 10.0.0.0/8 OR - All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip = 172.16.0.0/12) by All_Traffic.src_ip - All_Traffic.dest_ip |`drop_dm_object_name("All_Traffic")` | where src_ip != dest_ip - | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` - |`detect_outbound_ldap_traffic_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.dest_ip) as dest_ip from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip = 10.0.0.0/8 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip = 172.16.0.0/12) by All_Traffic.src_ip All_Traffic.dest_ip |`drop_dm_object_name("All_Traffic")` | where src_ip != dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`detect_outbound_ldap_traffic_filter`' how_to_implement: In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. The search requires the Network_Traffic data model to be populated. -known_false_positives: Unknown at this moment. Outbound LDAP traffic should not be - allowed outbound through your perimeter firewall. Please check those servers to - verify if the activity is legitimate. +known_false_positives: Unknown at this moment. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. Please check those servers to verify if the activity is legitimate. references: - https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/ tags: @@ -35,8 +21,7 @@ tags: cve: - CVE-2021-44228 impact: 70 - message: An outbound LDAP connection from $src_ip$ in your infrastructure connecting - to dest ip $dest_ip$ + message: An outbound LDAP connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$ mitre_attack_id: - T1190 - T1059 diff --git a/detections/network/detect_outbound_smb_traffic.yml b/detections/network/detect_outbound_smb_traffic.yml index cf7befebb3..b3c71b4b08 100644 --- a/detections/network/detect_outbound_smb_traffic.yml +++ b/detections/network/detect_outbound_smb_traffic.yml @@ -5,34 +5,11 @@ date: '2024-10-17' author: Bhavin Patel, Stuart Hopkins, Patrick Bareiss status: experimental type: TTP -description: The following analytic detects outbound SMB (Server Message Block) connections - from internal hosts to external servers. It identifies this activity by monitoring - network traffic for SMB requests directed towards the Internet, which are unusual - for standard operations. This detection is significant for a SOC as it can indicate - an attacker's attempt to retrieve credential hashes through compromised servers, - a key step in lateral movement and privilege escalation. If confirmed malicious, - this activity could lead to unauthorized access to sensitive data and potential - full system compromise. +description: The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers. It identifies this activity by monitoring network traffic for SMB requests directed towards the Internet, which are unusual for standard operations. This detection is significant for a SOC as it can indicate an attacker's attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and privilege escalation. If confirmed malicious, this activity could lead to unauthorized access to sensitive data and potential full system compromise. data_source: [] -search: '| tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time) - as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app - values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.dest_port) as dest_port - values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed - All_Traffic.direction=outbound All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 - OR All_Traffic.app="smb") by All_Traffic.src_ip | `drop_dm_object_name("All_Traffic")` - | eval match=case( cidrmatch("10.0.0.0/8" ,dest_ip) ,"1", cidrmatch("172.16.0.0/12" - ,dest_ip) ,"1", cidrmatch("192.168.0.0/16" ,dest_ip) ,"1", cidrmatch("100.64.0.0/10" - ,dest_ip) ,"1", 1=1,"0") | search match=0 | fields - match | `security_content_ctime(start_time)` - | `security_content_ctime(end_time)` | `detect_outbound_smb_traffic_filter`' -how_to_implement: 'This search also requires you to be ingesting your network traffic - and populating the Network_Traffic data model' -known_false_positives: It is likely that the outbound Server Message Block (SMB) traffic - is legitimate, if the company's internal networks are not well-defined in the Assets - and Identity Framework. Categorize the internal CIDR blocks as `internal` in the - lookup file to avoid creating notable events for traffic destined to those CIDR - blocks. Any other network connection that is going out to the Internet should be - investigated and blocked. Best practices suggest preventing external communications - of all SMB versions and related protocols at the network boundary. +search: '| tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time) as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.dest_port) as dest_port values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed All_Traffic.direction=outbound All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb") by All_Traffic.src_ip | `drop_dm_object_name("All_Traffic")` | eval match=case( cidrmatch("10.0.0.0/8" ,dest_ip) ,"1", cidrmatch("172.16.0.0/12" ,dest_ip) ,"1", cidrmatch("192.168.0.0/16" ,dest_ip) ,"1", cidrmatch("100.64.0.0/10" ,dest_ip) ,"1", 1=1,"0") | search match=0 | fields - match | `security_content_ctime(start_time)` | `security_content_ctime(end_time)` | `detect_outbound_smb_traffic_filter`' +how_to_implement: This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model +known_false_positives: It is likely that the outbound Server Message Block (SMB) traffic is legitimate, if the company's internal networks are not well-defined in the Assets and Identity Framework. Categorize the internal CIDR blocks as `internal` in the lookup file to avoid creating notable events for traffic destined to those CIDR blocks. Any other network connection that is going out to the Internet should be investigated and blocked. Best practices suggest preventing external communications of all SMB versions and related protocols at the network boundary. references: [] tags: analytic_story: @@ -42,8 +19,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: An outbound SMB connection from $src_ip$ in your infrastructure connecting - to dest ip $dest_ip$ + message: An outbound SMB connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$ mitre_attack_id: - T1071.002 - T1071 @@ -74,7 +50,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.002/outbound_smb_traffic/zeek_conn.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.002/outbound_smb_traffic/zeek_conn.log sourcetype: bro:conn:json source: conn.log diff --git a/detections/network/detect_port_security_violation.yml b/detections/network/detect_port_security_violation.yml index c26545bcdc..e131336825 100644 --- a/detections/network/detect_port_security_violation.yml +++ b/detections/network/detect_port_security_violation.yml @@ -5,30 +5,11 @@ date: '2024-10-17' author: Mikael Bjerkeland, Splunk status: experimental type: TTP -description: The following analytic detects port security violations on Cisco switches. - It leverages logs from Cisco network devices, specifically looking for events with - mnemonics indicating port security violations. This activity is significant because - it indicates an unauthorized device attempting to connect to a secured port, potentially - bypassing network access controls. If confirmed malicious, this could allow an attacker - to gain unauthorized access to the network, leading to data exfiltration, network - disruption, or further lateral movement within the environment. +description: The following analytic detects port security violations on Cisco switches. It leverages logs from Cisco network devices, specifically looking for events with mnemonics indicating port security violations. This activity is significant because it indicates an unauthorized device attempting to connect to a secured port, potentially bypassing network access controls. If confirmed malicious, this could allow an attacker to gain unauthorized access to the network, leading to data exfiltration, network disruption, or further lateral movement within the environment. data_source: [] -search: '`cisco_networks` (facility="PM" mnemonic="ERR_DISABLE" disable_cause="psecure-violation") - OR (facility="PORT_SECURITY" mnemonic="PSECURE_VIOLATION" OR mnemonic="PSECURE_VIOLATION_VLAN") - | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime - max(_time) AS lastTime values(disable_cause) AS disable_cause values(src_mac) AS - src_mac values(src_vlan) AS src_vlan values(action) AS action count by host src_interface - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_port_security_violation_filter`' -how_to_implement: This search uses a standard SPL query on logs from Cisco Network - devices. The network devices must be configured with Port Security and Error Disable - for this to work (see - https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html) - and log with a severity level of minimum "5 - notification". The search also requires - that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) - is used to parse the logs from the Cisco network devices. -known_false_positives: This search might be prone to high false positives if you have - malfunctioning devices connected to your ethernet ports or if end users periodically - connect physical devices to the network. +search: '`cisco_networks` (facility="PM" mnemonic="ERR_DISABLE" disable_cause="psecure-violation") OR (facility="PORT_SECURITY" mnemonic="PSECURE_VIOLATION" OR mnemonic="PSECURE_VIOLATION_VLAN") | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime values(disable_cause) AS disable_cause values(src_mac) AS src_mac values(src_vlan) AS src_vlan values(action) AS action count by host src_interface | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_port_security_violation_filter`' +how_to_implement: This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with Port Security and Error Disable for this to work (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html) and log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. +known_false_positives: This search might be prone to high false positives if you have malfunctioning devices connected to your ethernet ports or if end users periodically connect physical devices to the network. references: [] tags: analytic_story: diff --git a/detections/network/detect_remote_access_software_usage_dns.yml b/detections/network/detect_remote_access_software_usage_dns.yml index f316337c5e..5026122208 100644 --- a/detections/network/detect_remote_access_software_usage_dns.yml +++ b/detections/network/detect_remote_access_software_usage_dns.yml @@ -16,12 +16,12 @@ references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ drilldown_searches: -- name: View the detection results for $src$ - search: '%original_detection_search% | search src = $src$' +- name: View the detection results for - "$src$" + search: '%original_detection_search% | search src = "$src$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/network/detect_remote_access_software_usage_traffic.yml b/detections/network/detect_remote_access_software_usage_traffic.yml index 8b51d154f5..032d96a64a 100644 --- a/detections/network/detect_remote_access_software_usage_traffic.yml +++ b/detections/network/detect_remote_access_software_usage_traffic.yml @@ -17,12 +17,12 @@ references: - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ - https://applipedia.paloaltonetworks.com/ drilldown_searches: -- name: View the detection results for $src$ - search: '%original_detection_search% | search src = $src$' +- name: View the detection results for - "$src$" + search: '%original_detection_search% | search src = "$src$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/network/detect_rogue_dhcp_server.yml b/detections/network/detect_rogue_dhcp_server.yml index ac09a6dca5..c147af50ac 100644 --- a/detections/network/detect_rogue_dhcp_server.yml +++ b/detections/network/detect_rogue_dhcp_server.yml @@ -5,27 +5,11 @@ date: '2024-10-17' author: Mikael Bjerkeland, Splunk status: experimental type: TTP -description: The following analytic identifies the presence of unauthorized DHCP servers - on the network. It leverages logs from Cisco network devices with DHCP Snooping - enabled, specifically looking for events where DHCP leases are issued from untrusted - ports. This activity is significant because rogue DHCP servers can facilitate Man-in-the-Middle - attacks, leading to potential data interception and network disruption. If confirmed - malicious, this could allow attackers to redirect network traffic, capture sensitive - information, and compromise the integrity of the network. +description: The following analytic identifies the presence of unauthorized DHCP servers on the network. It leverages logs from Cisco network devices with DHCP Snooping enabled, specifically looking for events where DHCP leases are issued from untrusted ports. This activity is significant because rogue DHCP servers can facilitate Man-in-the-Middle attacks, leading to potential data interception and network disruption. If confirmed malicious, this could allow attackers to redirect network traffic, capture sensitive information, and compromise the integrity of the network. data_source: [] -search: '`cisco_networks` facility="DHCP_SNOOPING" mnemonic="DHCP_SNOOPING_UNTRUSTED_PORT" - | stats min(_time) AS firstTime max(_time) AS lastTime count values(message_type) - AS message_type values(src_mac) AS src_mac BY host | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| - `detect_rogue_dhcp_server_filter`' -how_to_implement: This search uses a standard SPL query on logs from Cisco Network - devices. The network devices must be configured with DHCP Snooping enabled (see - https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) - and log with a severity level of minimum "5 - notification". The search also requires - that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) - is used to parse the logs from the Cisco network devices. -known_false_positives: This search might be prone to high false positives if DHCP - Snooping has been incorrectly configured or in the unlikely event that the DHCP - server has been moved to another network interface. +search: '`cisco_networks` facility="DHCP_SNOOPING" mnemonic="DHCP_SNOOPING_UNTRUSTED_PORT" | stats min(_time) AS firstTime max(_time) AS lastTime count values(message_type) AS message_type values(src_mac) AS src_mac BY host | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_rogue_dhcp_server_filter`' +how_to_implement: This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping enabled (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. +known_false_positives: This search might be prone to high false positives if DHCP Snooping has been incorrectly configured or in the unlikely event that the DHCP server has been moved to another network interface. references: [] tags: analytic_story: diff --git a/detections/network/detect_snicat_sni_exfiltration.yml b/detections/network/detect_snicat_sni_exfiltration.yml index cad975ee34..c9ccd011f4 100644 --- a/detections/network/detect_snicat_sni_exfiltration.yml +++ b/detections/network/detect_snicat_sni_exfiltration.yml @@ -5,23 +5,10 @@ date: '2024-10-17' author: Shannon Davis, Splunk status: experimental type: TTP -description: The following analytic identifies the use of SNICat tool commands within - the TLS SNI field, indicating potential data exfiltration attempts. It leverages - Zeek SSL data to detect specific SNICat commands such as LIST, LS, SIZE, LD, CB, - EX, ALIVE, EXIT, WHERE, and finito in the server_name field. This activity is significant - as SNICat is a known tool for covert data exfiltration using TLS. If confirmed malicious, - this could allow attackers to exfiltrate sensitive data undetected, posing a severe - threat to data confidentiality and integrity. +description: The following analytic identifies the use of SNICat tool commands within the TLS SNI field, indicating potential data exfiltration attempts. It leverages Zeek SSL data to detect specific SNICat commands such as LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito in the server_name field. This activity is significant as SNICat is a known tool for covert data exfiltration using TLS. If confirmed malicious, this could allow attackers to exfiltrate sensitive data undetected, posing a severe threat to data confidentiality and integrity. data_source: [] -search: '`zeek_ssl` | rex field=server_name "(?(LIST|LS|SIZE|LD|CB|CD|EX|ALIVE|EXIT|WHERE|finito)-[A-Za-z0-9]{16}\.)" - | stats count by src_ip dest_ip server_name snicat | where count>0 | table src_ip - dest_ip server_name snicat | `detect_snicat_sni_exfiltration_filter`' -how_to_implement: You must be ingesting Zeek SSL data into Splunk. Zeek data should - also be getting ingested in JSON format. We are detecting when any of the predefined - SNICat commands are found within the server_name (SNI) field. These commands are - LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito. You can go further - once this has been detected, and run other searches to decode the SNI data to prove - or disprove if any data exfiltration has taken place. +search: '`zeek_ssl` | rex field=server_name "(?(LIST|LS|SIZE|LD|CB|CD|EX|ALIVE|EXIT|WHERE|finito)-[A-Za-z0-9]{16}\.)" | stats count by src_ip dest_ip server_name snicat | where count>0 | table src_ip dest_ip server_name snicat | `detect_snicat_sni_exfiltration_filter`' +how_to_implement: You must be ingesting Zeek SSL data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when any of the predefined SNICat commands are found within the server_name (SNI) field. These commands are LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito. You can go further once this has been detected, and run other searches to decode the SNI data to prove or disprove if any data exfiltration has taken place. known_false_positives: Unknown references: - https://www.mnemonic.io/resources/blog/introducing-snicat/ diff --git a/detections/network/detect_software_download_to_network_device.yml b/detections/network/detect_software_download_to_network_device.yml index 4a0340a070..48bdda0511 100644 --- a/detections/network/detect_software_download_to_network_device.yml +++ b/detections/network/detect_software_download_to_network_device.yml @@ -5,31 +5,11 @@ date: '2024-10-17' author: Mikael Bjerkeland, Splunk status: experimental type: TTP -description: The following analytic identifies unauthorized software downloads to - network devices via TFTP, FTP, or SSH/SCP. It detects this activity by analyzing - network traffic events on specific ports (69, 21, 22) from devices categorized as - network, router, or switch. This activity is significant because adversaries may - exploit netbooting to load unauthorized operating systems, potentially compromising - network integrity. If confirmed malicious, this could lead to unauthorized control - over network devices, enabling further attacks, data exfiltration, or persistent - access within the network. +description: The following analytic identifies unauthorized software downloads to network devices via TFTP, FTP, or SSH/SCP. It detects this activity by analyzing network traffic events on specific ports (69, 21, 22) from devices categorized as network, router, or switch. This activity is significant because adversaries may exploit netbooting to load unauthorized operating systems, potentially compromising network integrity. If confirmed malicious, this could lead to unauthorized control over network devices, enabling further attacks, data exfiltration, or persistent access within the network. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Network_Traffic where (All_Traffic.transport=udp AND - All_Traffic.dest_port=69) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=21) - OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=22) AND All_Traffic.dest_category!=common_software_repo_destination - AND All_Traffic.src_category=network OR All_Traffic.src_category=router OR All_Traffic.src_category=switch - by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name("All_Traffic")` - | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_software_download_to_network_device_filter`' -how_to_implement: This search looks for Network Traffic events to TFTP, FTP or SSH/SCP - ports from network devices. Make sure to tag any network devices as network, router - or switch in order for this detection to work. If the TFTP traffic doesn't traverse - a firewall nor packet inspection, these events will not be logged. This is typically - an issue if the TFTP server is on the same subnet as the network device. There is - also a chance of the network device loading software using a DHCP assigned IP address - (netboot) which is not in the Asset inventory. -known_false_positives: This search will also report any legitimate attempts of software - downloads to network devices as well as outbound SSH sessions from network devices. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.transport=udp AND All_Traffic.dest_port=69) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=21) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=22) AND All_Traffic.dest_category!=common_software_repo_destination AND All_Traffic.src_category=network OR All_Traffic.src_category=router OR All_Traffic.src_category=switch by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_software_download_to_network_device_filter`' +how_to_implement: This search looks for Network Traffic events to TFTP, FTP or SSH/SCP ports from network devices. Make sure to tag any network devices as network, router or switch in order for this detection to work. If the TFTP traffic doesn't traverse a firewall nor packet inspection, these events will not be logged. This is typically an issue if the TFTP server is on the same subnet as the network device. There is also a chance of the network device loading software using a DHCP assigned IP address (netboot) which is not in the Asset inventory. +known_false_positives: This search will also report any legitimate attempts of software downloads to network devices as well as outbound SSH sessions from network devices. references: [] tags: analytic_story: diff --git a/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml b/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml index f1fcefa273..f10c2c5a70 100644 --- a/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml @@ -5,55 +5,29 @@ date: '2024-10-17' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk status: experimental type: Anomaly -description: The following analytic identifies suspicious DNS TXT records using a - pre-trained deep learning model. It leverages DNS response data from the Network - Resolution data model, categorizing TXT records into known types via regular expressions. - Records that do not match known patterns are flagged as suspicious. This activity - is significant as DNS TXT records can be used for data exfiltration or command-and-control - communication. If confirmed malicious, attackers could use these records to covertly - transfer data or receive instructions, posing a severe threat to network security. +description: The following analytic identifies suspicious DNS TXT records using a pre-trained deep learning model. It leverages DNS response data from the Network Resolution data model, categorizing TXT records into known types via regular expressions. Records that do not match known patterns are flagged as suspicious. This activity is significant as DNS TXT records can be used for data exfiltration or command-and-control communication. If confirmed malicious, attackers could use these records to covertly transfer data or receive instructions, posing a severe threat to network security. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND - DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name("DNS")` - | rename answer as text | fields firstTime, lastTime, message_type,record_type,src,dest, - text | apply detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl | - rename predicted_is_unknown as is_suspicious_score | where is_suspicious_score > - 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | - table src,dest,text,record_type, firstTime, lastTime,is_suspicious_score | `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter`' -how_to_implement: 'Steps to deploy detect suspicious DNS TXT records model into Splunk - App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning - which can be found here - `https://splunkbase.splunk.com/app/4607/` and the Network - Resolution datamodel which can be found here - `https://splunkbase.splunk.com/app/1621/`. - The detection uses a pre-trained deep learning model that needs to be deployed in - DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name("DNS")` | rename answer as text | fields firstTime, lastTime, message_type,record_type,src,dest, text | apply detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl | rename predicted_is_unknown as is_suspicious_score | where is_suspicious_score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src,dest,text,record_type, firstTime, lastTime,is_suspicious_score | `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter`' +how_to_implement: 'Steps to deploy detect suspicious DNS TXT records model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - `https://splunkbase.splunk.com/app/4607/` and the Network Resolution datamodel which can be found here - `https://splunkbase.splunk.com/app/1621/`. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`. * Download the `artifacts .tar.gz` file from the link - `https://seal.splunkresearch.com/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz`. - * Download the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` - Jupyter notebook from `https://github.com/splunk/security_content/notebooks`. + * Download the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from `https://github.com/splunk/security_content/notebooks`. - * Login to the Jupyter Lab assigned for `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl` - container. This container should be listed on Containers page for DSDL app. + * Login to the Jupyter Lab assigned for `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl` container. This container should be listed on Containers page for DSDL app. * Below steps need to be followed inside Jupyter lab. - * Upload the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` - file into `app/model/data` path using the upload option in the jupyter notebook. + * Upload the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` file into `app/model/data` path using the upload option in the jupyter notebook. - * Untar the artifact `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` - using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz - -C app/model/data`. + * Untar the artifact `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data`. - * Upload detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` - into Jupyter lab notebooks folder using the upload option in Jupyter lab. + * Upload detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab. * Save the notebook using the save option in Jupyter notebook. - * Upload `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.json` - into `notebooks/data` folder.' -known_false_positives: False positives may be present if DNS TXT record contents are - similar to benign DNS TXT record contents. + * Upload `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder.' +known_false_positives: False positives may be present if DNS TXT record contents are similar to benign DNS TXT record contents. references: - https://attack.mitre.org/techniques/T1071/004/ - https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/ diff --git a/detections/network/detect_traffic_mirroring.yml b/detections/network/detect_traffic_mirroring.yml index 749ea66050..fb4ac5bf17 100644 --- a/detections/network/detect_traffic_mirroring.yml +++ b/detections/network/detect_traffic_mirroring.yml @@ -5,29 +5,11 @@ date: '2024-10-17' author: Mikael Bjerkeland, Splunk status: experimental type: TTP -description: The following analytic detects the initiation of traffic mirroring sessions - on Cisco network devices. It leverages logs with specific mnemonics and facilities - related to traffic mirroring, such as "ETH_SPAN_SESSION_UP" and "PKTCAP_START." - This activity is significant because adversaries may use traffic mirroring to exfiltrate - data by duplicating and forwarding network traffic to an external destination. If - confirmed malicious, this could allow attackers to capture sensitive information, - monitor network communications, and potentially compromise the integrity and confidentiality - of the network. +description: The following analytic detects the initiation of traffic mirroring sessions on Cisco network devices. It leverages logs with specific mnemonics and facilities related to traffic mirroring, such as "ETH_SPAN_SESSION_UP" and "PKTCAP_START." This activity is significant because adversaries may use traffic mirroring to exfiltrate data by duplicating and forwarding network traffic to an external destination. If confirmed malicious, this could allow attackers to capture sensitive information, monitor network communications, and potentially compromise the integrity and confidentiality of the network. data_source: [] -search: '`cisco_networks` (facility="MIRROR" mnemonic="ETH_SPAN_SESSION_UP") OR (facility="SPAN" - mnemonic="SESSION_UP") OR (facility="SPAN" mnemonic="PKTCAP_START") OR (mnemonic="CFGLOG_LOGGEDCMD" - command="monitor session*") | stats min(_time) AS firstTime max(_time) AS lastTime - count BY host facility mnemonic | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` - | `detect_traffic_mirroring_filter`' -how_to_implement: This search uses a standard SPL query on logs from Cisco Network - devices. The network devices must log with a severity level of minimum "5 - notification". - The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) - is used to parse the logs from the Cisco network devices and that the devices have - been configured according to the documentation of the Cisco Networks Add-on. Also - note that an attacker may disable logging from the device prior to enabling traffic - mirroring. -known_false_positives: This search will return false positives for any legitimate - traffic captures by network administrators. +search: '`cisco_networks` (facility="MIRROR" mnemonic="ETH_SPAN_SESSION_UP") OR (facility="SPAN" mnemonic="SESSION_UP") OR (facility="SPAN" mnemonic="PKTCAP_START") OR (mnemonic="CFGLOG_LOGGEDCMD" command="monitor session*") | stats min(_time) AS firstTime max(_time) AS lastTime count BY host facility mnemonic | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_traffic_mirroring_filter`' +how_to_implement: This search uses a standard SPL query on logs from Cisco Network devices. The network devices must log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices and that the devices have been configured according to the documentation of the Cisco Networks Add-on. Also note that an attacker may disable logging from the device prior to enabling traffic mirroring. +known_false_positives: This search will return false positives for any legitimate traffic captures by network administrators. references: [] tags: analytic_story: diff --git a/detections/network/detect_unauthorized_assets_by_mac_address.yml b/detections/network/detect_unauthorized_assets_by_mac_address.yml index 9a8c6a2d56..7ca657267b 100644 --- a/detections/network/detect_unauthorized_assets_by_mac_address.yml +++ b/detections/network/detect_unauthorized_assets_by_mac_address.yml @@ -5,30 +5,11 @@ date: '2024-10-17' author: Bhavin Patel, Splunk status: experimental type: TTP -description: The following analytic identifies unauthorized devices attempting to - connect to the organization's network by inspecting DHCP request packets. It detects - this activity by comparing the MAC addresses in DHCP requests against a list of - known authorized devices stored in the assets_by_str.csv file. This activity is - significant for a SOC because unauthorized devices can pose security risks, including - potential data breaches or network disruptions. If confirmed malicious, this activity - could allow an attacker to gain unauthorized network access, potentially leading - to further exploitation or data exfiltration. +description: The following analytic identifies unauthorized devices attempting to connect to the organization's network by inspecting DHCP request packets. It detects this activity by comparing the MAC addresses in DHCP requests against a list of known authorized devices stored in the assets_by_str.csv file. This activity is significant for a SOC because unauthorized devices can pose security risks, including potential data breaches or network disruptions. If confirmed malicious, this activity could allow an attacker to gain unauthorized network access, potentially leading to further exploitation or data exfiltration. data_source: [] -search: '| tstats `security_content_summariesonly` count from datamodel=Network_Sessions - where nodename=All_Sessions.DHCP All_Sessions.tag=dhcp by All_Sessions.dest_ip All_Sessions.dest_mac - | dedup All_Sessions.dest_mac| `drop_dm_object_name("Network_Sessions")`|`drop_dm_object_name("All_Sessions")` - | search NOT [| inputlookup asset_lookup_by_str |rename mac as dest_mac | fields - + dest_mac] | `detect_unauthorized_assets_by_mac_address_filter`' -how_to_implement: This search uses the Network_Sessions data model shipped with Enterprise - Security. It leverages the Assets and Identity framework to populate the assets_by_str.csv - file located in SA-IdentityManagement, which will contain a list of known authorized - organizational assets including their MAC addresses. Ensure that all inventoried - systems have their MAC address populated. -known_false_positives: This search might be prone to high false positives. Please - consider this when conducting analysis or investigations. Authorized devices may - be detected as unauthorized. If this is the case, verify the MAC address of the - system responsible for the false positive and add it to the Assets and Identity - framework with the proper information. +search: '| tstats `security_content_summariesonly` count from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.tag=dhcp by All_Sessions.dest_ip All_Sessions.dest_mac | dedup All_Sessions.dest_mac| `drop_dm_object_name("Network_Sessions")`|`drop_dm_object_name("All_Sessions")` | search NOT [| inputlookup asset_lookup_by_str |rename mac as dest_mac | fields + dest_mac] | `detect_unauthorized_assets_by_mac_address_filter`' +how_to_implement: This search uses the Network_Sessions data model shipped with Enterprise Security. It leverages the Assets and Identity framework to populate the assets_by_str.csv file located in SA-IdentityManagement, which will contain a list of known authorized organizational assets including their MAC addresses. Ensure that all inventoried systems have their MAC address populated. +known_false_positives: This search might be prone to high false positives. Please consider this when conducting analysis or investigations. Authorized devices may be detected as unauthorized. If this is the case, verify the MAC address of the system responsible for the false positive and add it to the Assets and Identity framework with the proper information. references: [] tags: analytic_story: diff --git a/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml b/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml index ef20aeb7e4..589e454499 100644 --- a/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml +++ b/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml @@ -5,23 +5,10 @@ date: '2024-10-17' author: Shannon Davis, Splunk status: experimental type: TTP -description: "The following analytic detects attempts to exploit the SIGRed vulnerability - (CVE-2020-1350) in Windows DNS servers. It leverages Splunk Stream DNS and TCP data - to identify DNS SIG and KEY records, as well as TCP payloads exceeding 65KB. This - activity is significant because SIGRed is a critical wormable vulnerability that - allows remote code execution. If confirmed malicious, an attacker could gain unauthorized - access, execute arbitrary code, and potentially disrupt services, leading to severe - data breaches and infrastructure compromise. Immediate investigation and remediation - are crucial to mitigate these risks." +description: The following analytic detects attempts to exploit the SIGRed vulnerability (CVE-2020-1350) in Windows DNS servers. It leverages Splunk Stream DNS and TCP data to identify DNS SIG and KEY records, as well as TCP payloads exceeding 65KB. This activity is significant because SIGRed is a critical wormable vulnerability that allows remote code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially disrupt services, leading to severe data breaches and infrastructure compromise. Immediate investigation and remediation are crucial to mitigate these risks. data_source: [] -search: '`stream_dns` | spath "query_type{}" | search "query_type{}" IN (SIG,KEY) - | spath protocol_stack | search protocol_stack="ip:tcp:dns" | append [search `stream_tcp` - bytes_out>65000] | `detect_windows_dns_sigred_via_splunk_stream_filter` | stats - count by flow_id | where count>1 | fields - count' -how_to_implement: You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We - are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size - via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with - configurations for your Splunk environment. +search: '`stream_dns` | spath "query_type{}" | search "query_type{}" IN (SIG,KEY) | spath protocol_stack | search protocol_stack="ip:tcp:dns" | append [search `stream_tcp` bytes_out>65000] | `detect_windows_dns_sigred_via_splunk_stream_filter` | stats count by flow_id | where count>1 | fields - count' +how_to_implement: You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment. known_false_positives: unknown references: [] tags: diff --git a/detections/network/detect_windows_dns_sigred_via_zeek.yml b/detections/network/detect_windows_dns_sigred_via_zeek.yml index 1eb181a0c1..8349550848 100644 --- a/detections/network/detect_windows_dns_sigred_via_zeek.yml +++ b/detections/network/detect_windows_dns_sigred_via_zeek.yml @@ -5,19 +5,10 @@ date: '2024-10-17' author: Shannon Davis, Splunk status: experimental type: TTP -description: |- - The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. It identifies specific DNS query types (SIG and KEY) and checks for high data transfer within a flow. This detection is significant because SIGRed allows attackers to execute remote code on Windows DNS servers, potentially leading to unauthorized access and control. If confirmed malicious, this activity could result in data exfiltration, service disruption, or further network compromise. Immediate investigation and mitigation, such as patching or isolating the affected server, are crucial. +description: The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. It identifies specific DNS query types (SIG and KEY) and checks for high data transfer within a flow. This detection is significant because SIGRed allows attackers to execute remote code on Windows DNS servers, potentially leading to unauthorized access and control. If confirmed malicious, this activity could result in data exfiltration, service disruption, or further network compromise. Immediate investigation and mitigation, such as patching or isolating the affected server, are crucial. data_source: [] -search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution - where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id - | append [| tstats `security_content_summariesonly` count from datamodel=Network_Traffic - where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id - as flow_id] | `detect_windows_dns_sigred_via_zeek_filter` | stats count by flow_id - | where count>1 | fields - count' -how_to_implement: You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek - data should also be getting ingested in JSON format. We are detecting SIG and KEY - records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json. The - Network Resolution and Network Traffic datamodels are in use for this search. +search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id | append [| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id as flow_id] | `detect_windows_dns_sigred_via_zeek_filter` | stats count by flow_id | where count>1 | fields - count' +how_to_implement: You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting SIG and KEY records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json. The Network Resolution and Network Traffic datamodels are in use for this search. known_false_positives: unknown references: [] tags: diff --git a/detections/network/detect_zerologon_via_zeek.yml b/detections/network/detect_zerologon_via_zeek.yml index f7300ec0c3..732d12911e 100644 --- a/detections/network/detect_zerologon_via_zeek.yml +++ b/detections/network/detect_zerologon_via_zeek.yml @@ -5,18 +5,10 @@ date: '2024-10-17' author: Shannon Davis, Splunk status: experimental type: TTP -description: |- - The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability via Zeek RPC. It leverages Zeek DCE-RPC data to identify specific operations: NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3. This activity is significant because it indicates an attempt to gain unauthorized access to a domain controller, potentially leading to a complete takeover of an organization's IT infrastructure. If confirmed malicious, the impact could be severe, including data theft, ransomware deployment, or other devastating outcomes. Immediate investigation of the identified IP addresses and RPC operations is crucial. +description: 'The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability via Zeek RPC. It leverages Zeek DCE-RPC data to identify specific operations: NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3. This activity is significant because it indicates an attempt to gain unauthorized access to a domain controller, potentially leading to a complete takeover of an organization''s IT infrastructure. If confirmed malicious, the impact could be severe, including data theft, ransomware deployment, or other devastating outcomes. Immediate investigation of the identified IP addresses and RPC operations is crucial.' data_source: [] -search: '`zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3) - | bin span=5m _time | stats values(operation) dc(operation) as opscount count(eval(operation=="NetrServerReqChallenge")) - as challenge count(eval(operation=="NetrServerAuthenticate3")) as authcount count(eval(operation=="NetrServerPasswordSet2")) - as passcount count as totalcount by _time,src_ip,dest_ip | search opscount=3 authcount>4 - passcount>0 | search `detect_zerologon_via_zeek_filter`' -how_to_implement: You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should - also be getting ingested in JSON format. We are detecting when all three RPC operations - (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunk_security_essentials_app - via bro:rpc:json. These three operations are then correlated on the Zeek UID field. +search: '`zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3) | bin span=5m _time | stats values(operation) dc(operation) as opscount count(eval(operation=="NetrServerReqChallenge")) as challenge count(eval(operation=="NetrServerAuthenticate3")) as authcount count(eval(operation=="NetrServerPasswordSet2")) as passcount count as totalcount by _time,src_ip,dest_ip | search opscount=3 authcount>4 passcount>0 | search `detect_zerologon_via_zeek_filter`' +how_to_implement: You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunk_security_essentials_app via bro:rpc:json. These three operations are then correlated on the Zeek UID field. known_false_positives: unknown references: - https://www.secura.com/blog/zero-logon diff --git a/detections/network/dns_query_length_outliers___mltk.yml b/detections/network/dns_query_length_outliers___mltk.yml index aea7be14da..6746816a73 100644 --- a/detections/network/dns_query_length_outliers___mltk.yml +++ b/detections/network/dns_query_length_outliers___mltk.yml @@ -5,42 +5,11 @@ date: '2024-10-17' author: Rico Valdez, Splunk status: experimental type: Anomaly -description: The following analytic identifies DNS requests with unusually large query - lengths for the record type being requested. It leverages the Network_Resolution - data model and applies a machine learning model to detect outliers in DNS query - lengths. This activity is significant because unusually large DNS queries can indicate - data exfiltration or command-and-control communication attempts. If confirmed malicious, - this activity could allow attackers to exfiltrate sensitive data or maintain persistent - communication channels with compromised systems. +description: The following analytic identifies DNS requests with unusually large query lengths for the record type being requested. It leverages the Network_Resolution data model and applies a machine learning model to detect outliers in DNS query lengths. This activity is significant because unusually large DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to exfiltrate sensitive data or maintain persistent communication channels with compromised systems. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as start_time - max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution - by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(DNS)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval - query_length = len(query) | apply dns_query_pdfmodel threshold=0.01 | rename "IsOutlier(query_length)" - as isOutlier | search isOutlier > 0 | sort -query_length | table start_time end_time - query record_type count src dest query_length | `dns_query_length_outliers___mltk_filter`' -how_to_implement: "To successfully implement this search, you will need to ensure - that DNS data is populating the Network_Resolution data model. In addition, the - Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your - search heads, along with any required dependencies. Finally, the support search - \"Baseline of DNS Query Length - MLTK\" must be executed before this detection search, - because it builds a machine-learning (ML) model over the historical data used by - this search. It is important that this search is run in the same app context as - the associated support search, so that the model created by the support search is - available for use. You should periodically re-run the support search to rebuild - the model with the latest data available in your environment.\nThis search produces - fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident - Review and therefore cannot be viewed when a notable event is raised. These fields - contribute additional context to the notable. To see the additional metadata, add - the following fields, if not already present, to Incident Review - Event Attributes - (Configure > Incident Management > Incident Review Settings > Add New Entry):\n - * **Label:** DNS Query, **Field:** query\n* **Label:** DNS Query Length, **Field:** - query_length\n* **Label:** Number of events, **Field:** count\nDetailed documentation - on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`" -known_false_positives: If you are seeing more results than desired, you may consider - reducing the value for threshold in the search. You should also periodically re-run - the support search to re-build the ML model on the latest data. +search: '| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval query_length = len(query) | apply dns_query_pdfmodel threshold=0.01 | rename "IsOutlier(query_length)" as isOutlier | search isOutlier > 0 | sort -query_length | table start_time end_time query record_type count src dest query_length | `dns_query_length_outliers___mltk_filter`' +how_to_implement: "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search \"Baseline of DNS Query Length - MLTK\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\nThis search produces fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n * **Label:** DNS Query, **Field:** query\n* **Label:** DNS Query Length, **Field:** query_length\n* **Label:** Number of events, **Field:** count\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`" +known_false_positives: If you are seeing more results than desired, you may consider reducing the value for threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. references: [] tags: analytic_story: diff --git a/detections/network/dns_query_length_with_high_standard_deviation.yml b/detections/network/dns_query_length_with_high_standard_deviation.yml index 623fc65277..7fef7b0ab4 100644 --- a/detections/network/dns_query_length_with_high_standard_deviation.yml +++ b/detections/network/dns_query_length_with_high_standard_deviation.yml @@ -13,12 +13,12 @@ how_to_implement: To successfully implement this search, you will need to ensure known_false_positives: It's possible there can be long domain names that are legitimate. references: [] drilldown_searches: -- name: View the detection results for $host$ - search: '%original_detection_search% | search host = $host$' +- name: View the detection results for - "$host$" + search: '%original_detection_search% | search host = "$host$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $host$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$host$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/network/excessive_dns_failures.yml b/detections/network/excessive_dns_failures.yml index f840749574..82dda35400 100644 --- a/detections/network/excessive_dns_failures.yml +++ b/detections/network/excessive_dns_failures.yml @@ -5,29 +5,11 @@ date: '2024-10-17' author: bowesmana, Bhavin Patel, Splunk status: experimental type: Anomaly -description: The following analytic identifies excessive DNS query failures by counting - DNS responses that do not indicate success, triggering when there are more than - 50 occurrences. It leverages the Network_Resolution data model, focusing on DNS - reply codes that signify errors. This activity is significant because a high number - of DNS failures can indicate potential network misconfigurations, DNS poisoning - attempts, or malware communication issues. If confirmed malicious, this activity - could lead to disrupted network services, hindered communication, or data exfiltration - attempts by attackers. +description: The following analytic identifies excessive DNS query failures by counting DNS responses that do not indicate success, triggering when there are more than 50 occurrences. It leverages the Network_Resolution data model, focusing on DNS reply codes that signify errors. This activity is significant because a high number of DNS failures can indicate potential network misconfigurations, DNS poisoning attempts, or malware communication issues. If confirmed malicious, this activity could lead to disrupted network services, hindered communication, or data exfiltration attempts by attackers. data_source: [] -search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution - where nodename=DNS "DNS.reply_code"!="No Error" "DNS.reply_code"!="NoError" DNS.reply_code!="unknown" - NOT "DNS.query"="*.arpa" "DNS.query"="*.*" by "DNS.src" "DNS.query" "DNS.reply_code" - | `drop_dm_object_name("DNS")` | lookup cim_corporate_web_domain_lookup domain as - query OUTPUT domain | where isnull(domain) | lookup update=true alexa_lookup_by_str - domain as query OUTPUT rank | where isnull(rank) | eventstats max(count) as mc by - src reply_code | eval mode_query=if(count=mc, query, null()) | stats sum(count) - as count values(mode_query) as query values(mc) as max_query_count by src reply_code - | where count>50 | `get_asset(src)` | `excessive_dns_failures_filter`' -how_to_implement: To successfully implement this search you must ensure that DNS data - is populating the Network_Resolution data model. -known_false_positives: It is possible legitimate traffic can trigger this rule. Please - investigate as appropriate. The threshold for generating an event can also be customized - to better suit your environment. +search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS "DNS.reply_code"!="No Error" "DNS.reply_code"!="NoError" DNS.reply_code!="unknown" NOT "DNS.query"="*.arpa" "DNS.query"="*.*" by "DNS.src" "DNS.query" "DNS.reply_code" | `drop_dm_object_name("DNS")` | lookup cim_corporate_web_domain_lookup domain as query OUTPUT domain | where isnull(domain) | lookup update=true alexa_lookup_by_str domain as query OUTPUT rank | where isnull(rank) | eventstats max(count) as mc by src reply_code | eval mode_query=if(count=mc, query, null()) | stats sum(count) as count values(mode_query) as query values(mc) as max_query_count by src reply_code | where count>50 | `get_asset(src)` | `excessive_dns_failures_filter`' +how_to_implement: To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model. +known_false_positives: It is possible legitimate traffic can trigger this rule. Please investigate as appropriate. The threshold for generating an event can also be customized to better suit your environment. references: [] tags: analytic_story: diff --git a/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml b/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml index ffc676423f..2f16c40068 100644 --- a/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml +++ b/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml @@ -18,12 +18,12 @@ references: - https://twitter.com/da_667/status/1523770267327250438?s=20&t=-JnB_aNWuJFsmcOmxGUWLQ - https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/network/high_volume_of_bytes_out_to_url.yml b/detections/network/high_volume_of_bytes_out_to_url.yml index a70086753c..57c17acdbb 100644 --- a/detections/network/high_volume_of_bytes_out_to_url.yml +++ b/detections/network/high_volume_of_bytes_out_to_url.yml @@ -16,12 +16,12 @@ references: - https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html - https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/ drilldown_searches: -- name: View the detection results for $src$ - search: '%original_detection_search% | search src = $src$' +- name: View the detection results for - "$src$" + search: '%original_detection_search% | search src = "$src$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml b/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml index 61679f4d3c..b130bf67ff 100644 --- a/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml +++ b/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml @@ -5,38 +5,11 @@ date: '2024-10-17' author: Bhavin Patel, Splunk status: experimental type: Anomaly -description: The following analytic identifies hosts receiving an unusually high volume - of network traffic from an email server. It leverages the Network_Traffic data model - to sum incoming bytes to clients from email servers, comparing current traffic against - historical averages and standard deviations. This activity is significant as it - may indicate data exfiltration by a malicious actor using the email server. If confirmed - malicious, this could lead to unauthorized data access and potential data breaches, - compromising sensitive information and impacting organizational security. +description: The following analytic identifies hosts receiving an unusually high volume of network traffic from an email server. It leverages the Network_Traffic data model to sum incoming bytes to clients from email servers, comparing current traffic against historical averages and standard deviations. This activity is significant as it may indicate data exfiltration by a malicious actor using the email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security. data_source: [] -search: '| tstats `security_content_summariesonly` sum(All_Traffic.bytes_in) as bytes_in - from datamodel=Network_Traffic where All_Traffic.dest_category=email_server by All_Traffic.src_ip - _time span=1d | `drop_dm_object_name("All_Traffic")` | eventstats avg(bytes_in) - as avg_bytes_in stdev(bytes_in) as stdev_bytes_in | eventstats count as num_data_samples - avg(eval(if(_time < relative_time(now(), "@d"), bytes_in, null))) as per_source_avg_bytes_in - stdev(eval(if(_time < relative_time(now(), "@d"), bytes_in, null))) as per_source_stdev_bytes_in - by src_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples - >= minimum_data_samples AND bytes_in > (avg_bytes_in + (deviation_threshold * stdev_bytes_in)) - AND bytes_in > (per_source_avg_bytes_in + (deviation_threshold * per_source_stdev_bytes_in)) - AND _time >= relative_time(now(), "@d") | eval num_standard_deviations_away_from_server_average - = round(abs(bytes_in - avg_bytes_in) / stdev_bytes_in, 2), num_standard_deviations_away_from_client_average - = round(abs(bytes_in - per_source_avg_bytes_in) / per_source_stdev_bytes_in, 2) - | table src_ip, _time, bytes_in, avg_bytes_in, per_source_avg_bytes_in, num_standard_deviations_away_from_server_average, - num_standard_deviations_away_from_client_average | `hosts_receiving_high_volume_of_network_traffic_from_email_server_filter`' -how_to_implement: This search requires you to be ingesting your network traffic and - populating the Network_Traffic data model. Your email servers must be categorized - as "email_server" for the search to work, as well. You may need to adjust the deviation_threshold - and minimum_data_samples values based on the network traffic in your environment. - The "deviation_threshold" field is a multiplying factor to control how much variation - you're willing to tolerate. The "minimum_data_samples" field is the minimum number - of connections of data samples required for the statistic to be valid. -known_false_positives: The false-positive rate will vary based on how you set the - deviation_threshold and data_samples values. Our recommendation is to adjust these - values based on your network traffic to and from your email servers. +search: '| tstats `security_content_summariesonly` sum(All_Traffic.bytes_in) as bytes_in from datamodel=Network_Traffic where All_Traffic.dest_category=email_server by All_Traffic.src_ip _time span=1d | `drop_dm_object_name("All_Traffic")` | eventstats avg(bytes_in) as avg_bytes_in stdev(bytes_in) as stdev_bytes_in | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), "@d"), bytes_in, null))) as per_source_avg_bytes_in stdev(eval(if(_time < relative_time(now(), "@d"), bytes_in, null))) as per_source_stdev_bytes_in by src_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_in > (avg_bytes_in + (deviation_threshold * stdev_bytes_in)) AND bytes_in > (per_source_avg_bytes_in + (deviation_threshold * per_source_stdev_bytes_in)) AND _time >= relative_time(now(), "@d") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_in - avg_bytes_in) / stdev_bytes_in, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_in - per_source_avg_bytes_in) / per_source_stdev_bytes_in, 2) | table src_ip, _time, bytes_in, avg_bytes_in, per_source_avg_bytes_in, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `hosts_receiving_high_volume_of_network_traffic_from_email_server_filter`' +how_to_implement: This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as "email_server" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The "deviation_threshold" field is a multiplying factor to control how much variation you're willing to tolerate. The "minimum_data_samples" field is the minimum number of connections of data samples required for the statistic to be valid. +known_false_positives: The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers. references: [] tags: analytic_story: diff --git a/detections/network/internal_horizontal_port_scan.yml b/detections/network/internal_horizontal_port_scan.yml index 2eb09242cc..413608fe6a 100644 --- a/detections/network/internal_horizontal_port_scan.yml +++ b/detections/network/internal_horizontal_port_scan.yml @@ -13,12 +13,12 @@ how_to_implement: To properly run this search, Splunk needs to ingest data from known_false_positives: Unknown references: [] drilldown_searches: -- name: View the detection results for $src_ip$ - search: '%original_detection_search% | search src_ip = $src_ip$' +- name: View the detection results for - "$src_ip$" + search: '%original_detection_search% | search src_ip = "$src_ip$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_ip$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_ip$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_ip$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/network/internal_vertical_port_scan.yml b/detections/network/internal_vertical_port_scan.yml index ea6e2b2b2a..3198a824b2 100644 --- a/detections/network/internal_vertical_port_scan.yml +++ b/detections/network/internal_vertical_port_scan.yml @@ -13,12 +13,12 @@ how_to_implement: To properly run this search, Splunk needs to ingest data from known_false_positives: Unknown references: [] drilldown_searches: -- name: View the detection results for $src_ip$ - search: '%original_detection_search% | search src_ip = $src_ip$' +- name: View the detection results for - "$src_ip$" + search: '%original_detection_search% | search src_ip = "$src_ip$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_ip$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_ip$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_ip$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/network/internal_vulnerability_scan.yml b/detections/network/internal_vulnerability_scan.yml index ede596fa12..b154e2a680 100644 --- a/detections/network/internal_vulnerability_scan.yml +++ b/detections/network/internal_vulnerability_scan.yml @@ -6,29 +6,10 @@ author: Dean Luxton status: experimental type: TTP data_source: [] -description: This analytic detects internal hosts triggering multiple IDS signatures, which may include either - more than 25 signatures against a single host or a single signature across over 25 destination IP addresses. - Such patterns can indicate active vulnerability scanning activities within the network. By monitoring - IDS logs, this detection helps identify and respond to potential vulnerability scanning attempts, - enhancing the network's security posture and preventing potential exploits. -search: '| tstats `security_content_summariesonly` values(IDS_Attacks.action) as action - values(IDS_Attacks.src_category) as src_category values(IDS_Attacks.dest_category) - as dest_category count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.src - IN (10.0.0.0/8,192.168.0.0/16,172.16.0.0/12) IDS_Attacks.severity IN (critical, - high, medium) by IDS_Attacks.src IDS_Attacks.severity IDS_Attacks.signature IDS_Attacks.dest - IDS_Attacks.dest_port IDS_Attacks.transport span=1s _time | `drop_dm_object_name("IDS_Attacks")` - | eval gtime=_time | bin span=1h gtime | eventstats count as sevCount by severity - src | eventstats count as sigCount by signature src | eval severity=severity +"("+sevCount+")" - | eval signature=signature +"("+sigCount+")" | eval dest_port=transport + "/" + - dest_port | stats min(_time) as _time values(action) as action dc(dest) as destCount - dc(signature) as sigCount values(signature) values(src_category) as src_category - values(dest_category) as dest_category values(severity) as severity values(dest_port) - as dest_ports by src gtime | fields - gtime | where destCount>25 OR sigCount>25 - | `internal_vulnerability_scan_filter`' -how_to_implement: For this detection to function effectively, it is essential to ingest IDS/IPS logs that are - mapped to the Common Information Model (CIM). These logs provide the necessary security-related telemetry - and contextual information needed to accurately identify and analyze potential threats. -known_false_positives: Internal vulnerability scanners will trigger this detection. +description: This analytic detects internal hosts triggering multiple IDS signatures, which may include either more than 25 signatures against a single host or a single signature across over 25 destination IP addresses. Such patterns can indicate active vulnerability scanning activities within the network. By monitoring IDS logs, this detection helps identify and respond to potential vulnerability scanning attempts, enhancing the network's security posture and preventing potential exploits. +search: '| tstats `security_content_summariesonly` values(IDS_Attacks.action) as action values(IDS_Attacks.src_category) as src_category values(IDS_Attacks.dest_category) as dest_category count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.src IN (10.0.0.0/8,192.168.0.0/16,172.16.0.0/12) IDS_Attacks.severity IN (critical, high, medium) by IDS_Attacks.src IDS_Attacks.severity IDS_Attacks.signature IDS_Attacks.dest IDS_Attacks.dest_port IDS_Attacks.transport span=1s _time | `drop_dm_object_name("IDS_Attacks")` | eval gtime=_time | bin span=1h gtime | eventstats count as sevCount by severity src | eventstats count as sigCount by signature src | eval severity=severity +"("+sevCount+")" | eval signature=signature +"("+sigCount+")" | eval dest_port=transport + "/" + dest_port | stats min(_time) as _time values(action) as action dc(dest) as destCount dc(signature) as sigCount values(signature) values(src_category) as src_category values(dest_category) as dest_category values(severity) as severity values(dest_port) as dest_ports by src gtime | fields - gtime | where destCount>25 OR sigCount>25 | `internal_vulnerability_scan_filter`' +how_to_implement: For this detection to function effectively, it is essential to ingest IDS/IPS logs that are mapped to the Common Information Model (CIM). These logs provide the necessary security-related telemetry and contextual information needed to accurately identify and analyze potential threats. +known_false_positives: Internal vulnerability scanners will trigger this detection. references: [] tags: analytic_story: @@ -59,4 +40,4 @@ tags: - IDS_Attacks.severity - IDS_Attacks.signature - IDS_Attacks.transport - security_domain: network \ No newline at end of file + security_domain: network diff --git a/detections/network/large_volume_of_dns_any_queries.yml b/detections/network/large_volume_of_dns_any_queries.yml index a546c0cace..45393b2161 100644 --- a/detections/network/large_volume_of_dns_any_queries.yml +++ b/detections/network/large_volume_of_dns_any_queries.yml @@ -5,23 +5,11 @@ date: '2024-10-17' author: Bhavin Patel, Splunk status: experimental type: Anomaly -description: The following analytic identifies a large volume of DNS ANY queries, - which may indicate a DNS amplification attack. It leverages the Network_Resolution - data model to count DNS queries of type "ANY" directed to specific destinations. - This activity is significant because DNS amplification attacks can overwhelm network - resources, leading to Denial of Service (DoS) conditions. If confirmed malicious, - this activity could disrupt services, degrade network performance, and potentially - be part of a larger Distributed Denial of Service (DDoS) attack, impacting the availability - of critical infrastructure. +description: The following analytic identifies a large volume of DNS ANY queries, which may indicate a DNS amplification attack. It leverages the Network_Resolution data model to count DNS queries of type "ANY" directed to specific destinations. This activity is significant because DNS amplification attacks can overwhelm network resources, leading to Denial of Service (DoS) conditions. If confirmed malicious, this activity could disrupt services, degrade network performance, and potentially be part of a larger Distributed Denial of Service (DDoS) attack, impacting the availability of critical infrastructure. data_source: [] -search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution - where nodename=DNS "DNS.message_type"="QUERY" "DNS.record_type"="ANY" by "DNS.dest" - | `drop_dm_object_name("DNS")` | where count>200 | `large_volume_of_dns_any_queries_filter`' -how_to_implement: To successfully implement this search you must ensure that DNS data - is populating the Network_Resolution data model. -known_false_positives: Legitimate ANY requests may trigger this search, however it - is unusual to see a large volume of them under typical circumstances. You may modify - the threshold in the search to better suit your environment. +search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" "DNS.record_type"="ANY" by "DNS.dest" | `drop_dm_object_name("DNS")` | where count>200 | `large_volume_of_dns_any_queries_filter`' +how_to_implement: To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model. +known_false_positives: Legitimate ANY requests may trigger this search, however it is unusual to see a large volume of them under typical circumstances. You may modify the threshold in the search to better suit your environment. references: [] tags: analytic_story: diff --git a/detections/network/multiple_archive_files_http_post_traffic.yml b/detections/network/multiple_archive_files_http_post_traffic.yml index f9aa4de7c5..1b33d2eb8c 100644 --- a/detections/network/multiple_archive_files_http_post_traffic.yml +++ b/detections/network/multiple_archive_files_http_post_traffic.yml @@ -16,12 +16,12 @@ references: - https://www.mandiant.com/resources/apt39-iranian-cyber-espionage-group-focused-on-personal-information - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ drilldown_searches: -- name: View the detection results for $src_ip$ - search: '%original_detection_search% | search src_ip = $src_ip$' +- name: View the detection results for - "$src_ip$" + search: '%original_detection_search% | search src_ip = "$src_ip$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_ip$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_ip$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_ip$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/network/ngrok_reverse_proxy_on_network.yml b/detections/network/ngrok_reverse_proxy_on_network.yml index 1a822c3c5f..4ae24f5b36 100644 --- a/detections/network/ngrok_reverse_proxy_on_network.yml +++ b/detections/network/ngrok_reverse_proxy_on_network.yml @@ -14,12 +14,12 @@ known_false_positives: False positives will be present based on organizations th references: - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf drilldown_searches: -- name: View the detection results for $src$ - search: '%original_detection_search% | search src = $src$' +- name: View the detection results for - "$src$" + search: '%original_detection_search% | search src = "$src$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/network/plain_http_post_exfiltrated_data.yml b/detections/network/plain_http_post_exfiltrated_data.yml index 19f29b7884..96955b1d68 100644 --- a/detections/network/plain_http_post_exfiltrated_data.yml +++ b/detections/network/plain_http_post_exfiltrated_data.yml @@ -14,12 +14,12 @@ known_false_positives: unknown references: - https://blog.talosintelligence.com/2020/03/trickbot-primer.html drilldown_searches: -- name: View the detection results for $src_ip$ - search: '%original_detection_search% | search src_ip = $src_ip$' +- name: View the detection results for - "$src_ip$" + search: '%original_detection_search% | search src_ip = "$src_ip$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_ip$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_ip$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_ip$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/network/prohibited_network_traffic_allowed.yml b/detections/network/prohibited_network_traffic_allowed.yml index 229140f417..e3caba6ac3 100644 --- a/detections/network/prohibited_network_traffic_allowed.yml +++ b/detections/network/prohibited_network_traffic_allowed.yml @@ -12,12 +12,12 @@ how_to_implement: In order to properly run this search, Splunk needs to ingest d known_false_positives: None identified references: [] drilldown_searches: -- name: View the detection results for $src_ip$ - search: '%original_detection_search% | search src_ip = $src_ip$' +- name: View the detection results for - "$src_ip$" + search: '%original_detection_search% | search src_ip = "$src_ip$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_ip$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_ip$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_ip$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/network/protocol_or_port_mismatch.yml b/detections/network/protocol_or_port_mismatch.yml index 5adf9d5aa5..c9c993d2b3 100644 --- a/detections/network/protocol_or_port_mismatch.yml +++ b/detections/network/protocol_or_port_mismatch.yml @@ -5,27 +5,10 @@ date: '2024-10-17' author: Rico Valdez, Splunk status: experimental type: Anomaly -description: The following analytic identifies network traffic where the higher layer - protocol does not match the expected port, such as non-HTTP traffic on TCP port - 80. It leverages data from network traffic inspection technologies like Bro or Palo - Alto Networks firewalls. This activity is significant because it may indicate attempts - to bypass firewall restrictions or conceal malicious communications. If confirmed - malicious, this behavior could allow attackers to evade detection, maintain persistence, - or exfiltrate data through commonly allowed ports, posing a significant threat to - network security. +description: The following analytic identifies network traffic where the higher layer protocol does not match the expected port, such as non-HTTP traffic on TCP port 80. It leverages data from network traffic inspection technologies like Bro or Palo Alto Networks firewalls. This activity is significant because it may indicate attempts to bypass firewall restrictions or conceal malicious communications. If confirmed malicious, this behavior could allow attackers to evade detection, maintain persistence, or exfiltrate data through commonly allowed ports, posing a significant threat to network security. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Network_Traffic where (All_Traffic.app=dns NOT All_Traffic.dest_port=53) - OR ((All_Traffic.app=web-browsing OR All_Traffic.app=http) NOT (All_Traffic.dest_port=80 - OR All_Traffic.dest_port=8080 OR All_Traffic.dest_port=8000)) OR (All_Traffic.app=ssl - NOT (All_Traffic.dest_port=443 OR All_Traffic.dest_port=8443)) OR (All_Traffic.app=smtp - NOT All_Traffic.dest_port=25) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, - All_Traffic.dest_port |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `drop_dm_object_name("All_Traffic")` | `protocol_or_port_mismatch_filter`' -how_to_implement: Running this search properly requires a technology that can inspect - network traffic and identify common protocols. Technologies such as Bro and Palo - Alto Networks firewalls are two examples that will identify protocols via inspection, - and not just assume a specific protocol based on the transport protocol and ports. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=dns NOT All_Traffic.dest_port=53) OR ((All_Traffic.app=web-browsing OR All_Traffic.app=http) NOT (All_Traffic.dest_port=80 OR All_Traffic.dest_port=8080 OR All_Traffic.dest_port=8000)) OR (All_Traffic.app=ssl NOT (All_Traffic.dest_port=443 OR All_Traffic.dest_port=8443)) OR (All_Traffic.app=smtp NOT All_Traffic.dest_port=25) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.dest_port |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `protocol_or_port_mismatch_filter`' +how_to_implement: Running this search properly requires a technology that can inspect network traffic and identify common protocols. Technologies such as Bro and Palo Alto Networks firewalls are two examples that will identify protocols via inspection, and not just assume a specific protocol based on the transport protocol and ports. known_false_positives: None identified references: [] tags: diff --git a/detections/network/protocols_passing_authentication_in_cleartext.yml b/detections/network/protocols_passing_authentication_in_cleartext.yml index 0ba4bc5a32..2c96157842 100644 --- a/detections/network/protocols_passing_authentication_in_cleartext.yml +++ b/detections/network/protocols_passing_authentication_in_cleartext.yml @@ -5,28 +5,11 @@ date: '2024-10-17' author: Rico Valdez, Splunk status: experimental type: TTP -description: The following analytic identifies the use of cleartext protocols that - risk leaking sensitive information. It detects network traffic on legacy protocols - such as Telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP - (port 21). The detection leverages the Network_Traffic data model to identify TCP - traffic on these ports. Monitoring this activity is crucial as it can expose credentials - and other sensitive data to interception. If confirmed malicious, attackers could - capture authentication details, leading to unauthorized access and potential data - breaches. +description: The following analytic identifies the use of cleartext protocols that risk leaking sensitive information. It detects network traffic on legacy protocols such as Telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP (port 21). The detection leverages the Network_Traffic data model to identify TCP traffic on these ports. Monitoring this activity is crucial as it can expose credentials and other sensitive data to interception. If confirmed malicious, attackers could capture authentication details, leading to unauthorized access and potential data breaches. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Network_Traffic where All_Traffic.action!=blocked AND - All_Traffic.transport="tcp" AND (All_Traffic.dest_port="23" OR All_Traffic.dest_port="143" - OR All_Traffic.dest_port="110" OR (All_Traffic.dest_port="21" AND All_Traffic.user - != "anonymous")) by All_Traffic.user All_Traffic.src All_Traffic.dest All_Traffic.dest_port - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` - | `protocols_passing_authentication_in_cleartext_filter`' -how_to_implement: This search requires you to be ingesting your network traffic, and - populating the Network_Traffic data model. For more accurate result it's better - to limit destination to organization private and public IP range, like All_Traffic.dest - IN(192.168.0.0/16,172.16.0.0/12,10.0.0.0/8, x.x.x.x/22) -known_false_positives: Some networks may use kerberized FTP or telnet servers, however, - this is rare. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action!=blocked AND All_Traffic.transport="tcp" AND (All_Traffic.dest_port="23" OR All_Traffic.dest_port="143" OR All_Traffic.dest_port="110" OR (All_Traffic.dest_port="21" AND All_Traffic.user != "anonymous")) by All_Traffic.user All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `protocols_passing_authentication_in_cleartext_filter`' +how_to_implement: This search requires you to be ingesting your network traffic, and populating the Network_Traffic data model. For more accurate result it's better to limit destination to organization private and public IP range, like All_Traffic.dest IN(192.168.0.0/16,172.16.0.0/12,10.0.0.0/8, x.x.x.x/22) +known_false_positives: Some networks may use kerberized FTP or telnet servers, however, this is rare. references: - https://www.rackaid.com/blog/secure-your-email-and-file-transfers/ - https://www.infosecmatter.com/capture-passwords-using-wireshark/ diff --git a/detections/network/remote_desktop_network_bruteforce.yml b/detections/network/remote_desktop_network_bruteforce.yml index 65f1b90b92..563c8530ed 100644 --- a/detections/network/remote_desktop_network_bruteforce.yml +++ b/detections/network/remote_desktop_network_bruteforce.yml @@ -5,25 +5,11 @@ date: '2024-10-17' author: Jose Hernandez, Splunk status: experimental type: TTP -description: The following analytic identifies potential Remote Desktop Protocol (RDP) - brute force attacks by monitoring network traffic for RDP application activity. - It detects anomalies by filtering source and destination pairs that generate traffic - exceeding twice the standard deviation of the average traffic. This method leverages - the Network_Traffic data model to identify unusual patterns indicative of brute - force attempts. This activity is significant as it may indicate an attacker attempting - to gain unauthorized access to systems via RDP. If confirmed malicious, this could - lead to unauthorized access, data exfiltration, or further network compromise. +description: The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects anomalies by filtering source and destination pairs that generate traffic exceeding twice the standard deviation of the average traffic. This method leverages the Network_Traffic data model to identify unusual patterns indicative of brute force attempts. This activity is significant as it may indicate an attacker attempting to gain unauthorized access to systems via RDP. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further network compromise. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src - All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) - AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src - AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 - stdev | `remote_desktop_network_bruteforce_filter`' -how_to_implement: You must ensure that your network traffic data is populating the - Network_Traffic data model. -known_false_positives: RDP gateways may have unusually high amounts of traffic from - all other hosts' RDP applications in the network. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 stdev | `remote_desktop_network_bruteforce_filter`' +how_to_implement: You must ensure that your network traffic data is populating the Network_Traffic data model. +known_false_positives: RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network. references: [] tags: analytic_story: diff --git a/detections/network/remote_desktop_network_traffic.yml b/detections/network/remote_desktop_network_traffic.yml index 9cc41e29aa..f33797c6f0 100644 --- a/detections/network/remote_desktop_network_traffic.yml +++ b/detections/network/remote_desktop_network_traffic.yml @@ -12,12 +12,12 @@ how_to_implement: To successfully implement this search you need to identify sys known_false_positives: Remote Desktop may be used legitimately by users on the network. references: [] drilldown_searches: -- name: View the detection results for $src$ - search: '%original_detection_search% | search src = $src$' +- name: View the detection results for - "$src$" + search: '%original_detection_search% | search src = "$src$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/network/smb_traffic_spike.yml b/detections/network/smb_traffic_spike.yml index 8d901910b2..37df31cad3 100644 --- a/detections/network/smb_traffic_spike.yml +++ b/detections/network/smb_traffic_spike.yml @@ -5,21 +5,11 @@ date: '2024-10-17' author: David Dorsey, Splunk status: experimental type: Anomaly -description: |- - The following analytic detects spikes in Server Message Block (SMB) traffic connections, which are used for sharing files and resources between computers. It leverages network traffic logs to monitor connections on ports 139 and 445, and SMB application usage. By calculating the average and standard deviation of SMB connections over the past 70 minutes, it identifies sources exceeding two standard deviations from the average. This activity is significant as it may indicate potential SMB-based attacks, such as ransomware or data theft. If confirmed malicious, attackers could exfiltrate data or spread malware within the network. +description: The following analytic detects spikes in Server Message Block (SMB) traffic connections, which are used for sharing files and resources between computers. It leverages network traffic logs to monitor connections on ports 139 and 445, and SMB application usage. By calculating the average and standard deviation of SMB connections over the past 70 minutes, it identifies sources exceeding two standard deviations from the average. This activity is significant as it may indicate potential SMB-based attacks, such as ransomware or data theft. If confirmed malicious, attackers could exfiltrate data or spread malware within the network. data_source: [] -search: '| tstats `security_content_summariesonly` count from datamodel=Network_Traffic - where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb - by _time span=1h, All_Traffic.src | `drop_dm_object_name("All_Traffic")` | eventstats - max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, - "-70m@m"), count, null))) as count avg(eval(if(_time upperBound - AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count | `smb_traffic_spike_filter`' -how_to_implement: This search requires you to be ingesting your network traffic logs - and populating the `Network_Traffic` data model. -known_false_positives: A file server may experience high-demand loads that could cause - this analytic to trigger. +search: '| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | `drop_dm_object_name("All_Traffic")` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, "-70m@m"), count, null))) as count avg(eval(if(_time upperBound AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count | `smb_traffic_spike_filter`' +how_to_implement: This search requires you to be ingesting your network traffic logs and populating the `Network_Traffic` data model. +known_false_positives: A file server may experience high-demand loads that could cause this analytic to trigger. references: [] tags: analytic_story: diff --git a/detections/network/smb_traffic_spike___mltk.yml b/detections/network/smb_traffic_spike___mltk.yml index c8091836d6..8500e94944 100644 --- a/detections/network/smb_traffic_spike___mltk.yml +++ b/detections/network/smb_traffic_spike___mltk.yml @@ -5,42 +5,17 @@ date: '2024-10-17' author: Rico Valdez, Splunk status: experimental type: Anomaly -description: The following analytic identifies spikes in the number of Server Message - Block (SMB) connections using the Machine Learning Toolkit (MLTK). It leverages - the Network_Traffic data model to monitor SMB traffic on ports 139 and 445, applying - a machine learning model to detect anomalies. This activity is significant because - sudden increases in SMB traffic can indicate lateral movement or data exfiltration - attempts by attackers. If confirmed malicious, this behavior could lead to unauthorized - access, data theft, or further compromise of the network. +description: The following analytic identifies spikes in the number of Server Message Block (SMB) connections using the Machine Learning Toolkit (MLTK). It leverages the Network_Traffic data model to monitor SMB traffic on ports 139 and 445, applying a machine learning model to detect anomalies. This activity is significant because sudden increases in SMB traffic can indicate lateral movement or data exfiltration attempts by attackers. If confirmed malicious, this behavior could lead to unauthorized access, data theft, or further compromise of the network. data_source: [] -search: '| tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) - as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where - All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by - _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval DayOfWeek=strftime(_time, - "%A") | `drop_dm_object_name(All_Traffic)` | apply smb_pdfmodel threshold=0.001 - | rename "IsOutlier(count)" as isOutlier | search isOutlier > 0 | sort -count | - table _time src dest port count | `smb_traffic_spike___mltk_filter`' -how_to_implement: "To successfully implement this search, you will need to ensure - that DNS data is populating the Network_Traffic data model. In addition, the latest - version of Machine Learning Toolkit (MLTK) must be installed on your search heads, - along with any required dependencies. Finally, the support search \"Baseline of - SMB Traffic - MLTK\" must be executed before this detection search, because it builds - a machine-learning (ML) model over the historical data used by this search. It is - important that this search is run in the same app context as the associated support - search, so that the model created by the support search is available for use. You - should periodically re-run the support search to rebuild the model with the latest - data available in your environment.\nThis search produces a field (Number of events,count) - that are not yet supported by ES Incident Review and therefore cannot be viewed - when a notable event is raised. This field contributes additional context to the - notable. To see the additional metadata, add the following field, if not already - present, to Incident Review - Event Attributes (Configure > Incident Management - > Incident Review Settings > Add New Entry):\n* **Label:** Number of events, **Field:** - count\nDetailed documentation on how to create a new field within Incident Review - is found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`" -known_false_positives: If you are seeing more results than desired, you may consider - reducing the value of the threshold in the search. You should also periodically - re-run the support search to re-build the ML model on the latest data. Please update - the `smb_traffic_spike_mltk_filter` macro to filter out false positive results +search: '| tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval DayOfWeek=strftime(_time, "%A") | `drop_dm_object_name(All_Traffic)` | apply smb_pdfmodel threshold=0.001 | rename "IsOutlier(count)" as isOutlier | search isOutlier > 0 | sort -count | table _time src dest port count | `smb_traffic_spike___mltk_filter`' +how_to_implement: 'To successfully implement this search, you will need to ensure that DNS data is populating the Network_Traffic data model. In addition, the latest version of Machine Learning Toolkit (MLTK) must be installed on your search heads, along with any required dependencies. Finally, the support search "Baseline of SMB Traffic - MLTK" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment. + + This search produces a field (Number of events,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. This field contributes additional context to the notable. To see the additional metadata, add the following field, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): + + * **Label:** Number of events, **Field:** count + + Detailed documentation on how to create a new field within Incident Review is found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`' +known_false_positives: If you are seeing more results than desired, you may consider reducing the value of the threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. Please update the `smb_traffic_spike_mltk_filter` macro to filter out false positive results references: [] tags: analytic_story: diff --git a/detections/network/ssl_certificates_with_punycode.yml b/detections/network/ssl_certificates_with_punycode.yml index b908211de3..89c12e2ed3 100644 --- a/detections/network/ssl_certificates_with_punycode.yml +++ b/detections/network/ssl_certificates_with_punycode.yml @@ -5,27 +5,11 @@ date: '2024-10-17' author: Michael Haag, Splunk status: experimental type: Hunting -description: The following analytic detects SSL certificates with Punycode domains - in the SSL issuer email domain, identified by the prefix "xn--". It leverages the - Certificates Datamodel to flag these domains and uses CyberChef for decoding. This - activity is significant as Punycode can be used for domain spoofing and phishing - attacks. If confirmed malicious, attackers could deceive users and systems, potentially - leading to unauthorized access and data breaches. +description: The following analytic detects SSL certificates with Punycode domains in the SSL issuer email domain, identified by the prefix "xn--". It leverages the Certificates Datamodel to flag these domains and uses CyberChef for decoding. This activity is significant as Punycode can be used for domain spoofing and phishing attacks. If confirmed malicious, attackers could deceive users and systems, potentially leading to unauthorized access and data breaches. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email_domain - All_Certificates.SSL.ssl_issuer All_Certificates.SSL.ssl_subject_email All_Certificates.SSL.dest - All_Certificates.SSL.src All_Certificates.SSL.sourcetype All_Certificates.SSL.ssl_subject_email_domain - | `drop_dm_object_name("All_Certificates.SSL")` | eval punycode=if(like(ssl_issuer_email_domain,"%xn--%"),1,0) - | where punycode=1 | cyberchef infield="ssl_issuer_email_domain" outfield="convertedPuny" - jsonrecipe="[{"op":"From Punycode","args":[true]}]" | table ssl_issuer_email_domain - convertedPuny ssl_issuer ssl_subject_email dest src sourcetype ssl_subject_email_domain - | `ssl_certificates_with_punycode_filter`' -how_to_implement: Ensure data is properly being ingested into the Certificates datamodel. - If decoding the of interest, the CyberChef app is needed https://splunkbase.splunk.com/app/5348. - If decoding is not needed, remove the cyberchef lines. -known_false_positives: False positives may be present if the organization works with - international businesses. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email_domain All_Certificates.SSL.ssl_issuer All_Certificates.SSL.ssl_subject_email All_Certificates.SSL.dest All_Certificates.SSL.src All_Certificates.SSL.sourcetype All_Certificates.SSL.ssl_subject_email_domain | `drop_dm_object_name("All_Certificates.SSL")` | eval punycode=if(like(ssl_issuer_email_domain,"%xn--%"),1,0) | where punycode=1 | cyberchef infield="ssl_issuer_email_domain" outfield="convertedPuny" jsonrecipe="[{"op":"From Punycode","args":[true]}]" | table ssl_issuer_email_domain convertedPuny ssl_issuer ssl_subject_email dest src sourcetype ssl_subject_email_domain | `ssl_certificates_with_punycode_filter`' +how_to_implement: Ensure data is properly being ingested into the Certificates datamodel. If decoding the of interest, the CyberChef app is needed https://splunkbase.splunk.com/app/5348. If decoding is not needed, remove the cyberchef lines. +known_false_positives: False positives may be present if the organization works with international businesses. Filter as needed. references: - https://www.splunk.com/en_us/blog/security/nothing-puny-about-cve-2022-3602.html - https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ @@ -37,8 +21,7 @@ tags: asset_type: Network confidence: 30 impact: 50 - message: A x509 certificate has been identified to have punycode in the SSL issuer - email domain on $dest$. + message: A x509 certificate has been identified to have punycode in the SSL issuer email domain on $dest$. mitre_attack_id: - T1573 observable: diff --git a/detections/network/tor_traffic.yml b/detections/network/tor_traffic.yml index 42bc5f631f..c755e011b2 100644 --- a/detections/network/tor_traffic.yml +++ b/detections/network/tor_traffic.yml @@ -15,12 +15,12 @@ references: - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRtCAK - https://unit42.paloaltonetworks.com/tor-traffic-enterprise-networks/#:~:text=For%20enterprises%20concerned%20about%20the,the%20most%20important%20security%20risks. drilldown_searches: -- name: View the detection results for $src_ip$ - search: '%original_detection_search% | search src_ip = $src_ip$' +- name: View the detection results for - "$src_ip$" + search: '%original_detection_search% | search src_ip = "$src_ip$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src_ip$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_ip$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src_ip$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/network/unusually_long_content_type_length.yml b/detections/network/unusually_long_content_type_length.yml index 901e72b710..0e2abef8e8 100644 --- a/detections/network/unusually_long_content_type_length.yml +++ b/detections/network/unusually_long_content_type_length.yml @@ -5,23 +5,11 @@ date: '2024-10-17' author: Bhavin Patel, Splunk status: experimental type: Anomaly -description: The following analytic identifies unusually long strings in the Content-Type - HTTP header sent by the client to the server. It uses data from the Stream:HTTP - source, specifically evaluating the length of the `cs_content_type` field. This - activity is significant because excessively long Content-Type headers can indicate - attempts to exploit vulnerabilities or evade detection mechanisms. If confirmed - malicious, this behavior could allow attackers to execute code, manipulate data, - or bypass security controls, potentially leading to unauthorized access or data - breaches. +description: The following analytic identifies unusually long strings in the Content-Type HTTP header sent by the client to the server. It uses data from the Stream:HTTP source, specifically evaluating the length of the `cs_content_type` field. This activity is significant because excessively long Content-Type headers can indicate attempts to exploit vulnerabilities or evade detection mechanisms. If confirmed malicious, this behavior could allow attackers to execute code, manipulate data, or bypass security controls, potentially leading to unauthorized access or data breaches. data_source: [] -search: '`stream_http` | eval cs_content_type_length = len(cs_content_type) | where - cs_content_type_length > 100 | table endtime src_ip dest_ip cs_content_type_length - cs_content_type url | `unusually_long_content_type_length_filter`' -how_to_implement: This particular search leverages data extracted from Stream:HTTP. - You must configure the http stream using the Splunk Stream App on your Splunk Stream - deployment server to extract the cs_content_type field. -known_false_positives: Very few legitimate Content-Type fields will have a length - greater than 100 characters. +search: '`stream_http` | eval cs_content_type_length = len(cs_content_type) | where cs_content_type_length > 100 | table endtime src_ip dest_ip cs_content_type_length cs_content_type url | `unusually_long_content_type_length_filter`' +how_to_implement: This particular search leverages data extracted from Stream:HTTP. You must configure the http stream using the Splunk Stream App on your Splunk Stream deployment server to extract the cs_content_type field. +known_false_positives: Very few legitimate Content-Type fields will have a length greater than 100 characters. references: [] tags: analytic_story: diff --git a/detections/network/windows_ad_replication_service_traffic.yml b/detections/network/windows_ad_replication_service_traffic.yml index 9c4ef78274..60ebda269e 100644 --- a/detections/network/windows_ad_replication_service_traffic.yml +++ b/detections/network/windows_ad_replication_service_traffic.yml @@ -6,23 +6,9 @@ author: Steven Dick type: TTP status: experimental data_source: [] -description: The following analytic identifies unexpected Active Directory replication - traffic from non-domain controller sources. It leverages data from the Network Traffic - datamodel, specifically looking for applications related to AD replication. This - activity is significant because AD replication traffic should typically only occur - between domain controllers. Detection of such traffic from other sources may indicate - malicious activities like DCSync or DCShadow, which are used for credential dumping. - If confirmed malicious, this could allow attackers to exfiltrate sensitive credentials, - leading to unauthorized access and potential domain-wide compromise. -search: '| tstats `security_content_summariesonly` count values(All_Traffic.transport) - as transport values(All_Traffic.user) as user values(All_Traffic.src_category) as - src_category values(All_Traffic.dest_category) as dest_category min(_time) as firstTime - max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app IN ("ms-dc-replication","*drsr*","ad - drs") by All_Traffic.src All_Traffic.dest All_Traffic.app | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `windows_ad_replication_service_traffic_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - application aware firewall or proxy logs into the Network Datamodel. Categorize - all known domain controller Assets servers with an appropriate category for filtering. +description: The following analytic identifies unexpected Active Directory replication traffic from non-domain controller sources. It leverages data from the Network Traffic datamodel, specifically looking for applications related to AD replication. This activity is significant because AD replication traffic should typically only occur between domain controllers. Detection of such traffic from other sources may indicate malicious activities like DCSync or DCShadow, which are used for credential dumping. If confirmed malicious, this could allow attackers to exfiltrate sensitive credentials, leading to unauthorized access and potential domain-wide compromise. +search: '| tstats `security_content_summariesonly` count values(All_Traffic.transport) as transport values(All_Traffic.user) as user values(All_Traffic.src_category) as src_category values(All_Traffic.dest_category) as dest_category min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app IN ("ms-dc-replication","*drsr*","ad drs") by All_Traffic.src All_Traffic.dest All_Traffic.app | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `windows_ad_replication_service_traffic_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting application aware firewall or proxy logs into the Network Datamodel. Categorize all known domain controller Assets servers with an appropriate category for filtering. known_false_positives: New domain controllers or certian scripts run by administrators. references: - https://adsecurity.org/?p=1729 diff --git a/detections/network/windows_ad_rogue_domain_controller_network_activity.yml b/detections/network/windows_ad_rogue_domain_controller_network_activity.yml index 8d9f6a1ee0..440d5240a1 100644 --- a/detections/network/windows_ad_rogue_domain_controller_network_activity.yml +++ b/detections/network/windows_ad_rogue_domain_controller_network_activity.yml @@ -6,20 +6,9 @@ author: Dean Luxton type: TTP status: experimental data_source: [] -description: The following analytic identifies unauthorized replication RPC calls - from non-domain controller devices. It leverages Zeek wire data to detect specific - RPC operations like DrsReplicaAdd and DRSGetNCChanges, filtering out legitimate - domain controllers. This activity is significant as it may indicate an attempt to - introduce a rogue domain controller, which can compromise the integrity of the Active - Directory environment. If confirmed malicious, this could allow attackers to manipulate - directory data, escalate privileges, and persist within the network, posing a severe - security risk. -search: '`zeek_rpc` DrsReplicaAdd OR DRSGetNCChanges | where NOT (dest_category="Domain - Controller") OR NOT (src_category="Domain Controller") | fillnull value="Unknown" - src_category, dest_category | table _time endpoint operation src src_category dest - dest_category | `windows_ad_rogue_domain_controller_network_activity_filter`' -how_to_implement: Run zeek on domain controllers to capture the DCE RPC calls, ensure - the domain controller categories are defined in Assets and Identities. +description: The following analytic identifies unauthorized replication RPC calls from non-domain controller devices. It leverages Zeek wire data to detect specific RPC operations like DrsReplicaAdd and DRSGetNCChanges, filtering out legitimate domain controllers. This activity is significant as it may indicate an attempt to introduce a rogue domain controller, which can compromise the integrity of the Active Directory environment. If confirmed malicious, this could allow attackers to manipulate directory data, escalate privileges, and persist within the network, posing a severe security risk. +search: '`zeek_rpc` DrsReplicaAdd OR DRSGetNCChanges | where NOT (dest_category="Domain Controller") OR NOT (src_category="Domain Controller") | fillnull value="Unknown" src_category, dest_category | table _time endpoint operation src src_category dest dest_category | `windows_ad_rogue_domain_controller_network_activity_filter`' +how_to_implement: Run zeek on domain controllers to capture the DCE RPC calls, ensure the domain controller categories are defined in Assets and Identities. known_false_positives: None. references: - https://adsecurity.org/?p=1729 diff --git a/detections/network/zeek_x509_certificate_with_punycode.yml b/detections/network/zeek_x509_certificate_with_punycode.yml index 705cc1540e..6e781a5f27 100644 --- a/detections/network/zeek_x509_certificate_with_punycode.yml +++ b/detections/network/zeek_x509_certificate_with_punycode.yml @@ -5,25 +5,11 @@ date: '2024-10-17' author: Michael Haag, Splunk status: experimental type: Hunting -description: The following analytic detects the presence of punycode within x509 certificates - using Zeek x509 logs. It identifies punycode in the subject alternative name email - and other fields by searching for the "xn--" prefix. This activity is significant - as punycode can be used in phishing attacks or to bypass domain filters, posing - a security risk. If confirmed malicious, attackers could use these certificates - to impersonate legitimate domains, potentially leading to unauthorized access or - data breaches. +description: The following analytic detects the presence of punycode within x509 certificates using Zeek x509 logs. It identifies punycode in the subject alternative name email and other fields by searching for the "xn--" prefix. This activity is significant as punycode can be used in phishing attacks or to bypass domain filters, posing a security risk. If confirmed malicious, attackers could use these certificates to impersonate legitimate domains, potentially leading to unauthorized access or data breaches. data_source: [] -search: '`zeek_x509` | rex field=san.email{} "\@(?xn--.*)" | rex - field=san.other_fields{} "\@(?xn--.*)" | stats values(domain_detected) - by basic_constraints.ca source host | `zeek_x509_certificate_with_punycode_filter`' -how_to_implement: The following analytic requires x509 certificate data to be logged - entirely. In particular, for CVE-2022-3602, the punycode will be within the leaf - certificate. The analytic may be modified to look for all xn--, or utilize a network - IDS/monitoring tool like Zeek or Suricata to drill down into cert captured. Note - for Suricata, the certificate is base64 encoded and will need to be decoded to capture - the punycode (punycode will need to be decoded after). -known_false_positives: False positives may be present if the organization works with - international businesses. Filter as needed. +search: '`zeek_x509` | rex field=san.email{} "\@(?xn--.*)" | rex field=san.other_fields{} "\@(?xn--.*)" | stats values(domain_detected) by basic_constraints.ca source host | `zeek_x509_certificate_with_punycode_filter`' +how_to_implement: The following analytic requires x509 certificate data to be logged entirely. In particular, for CVE-2022-3602, the punycode will be within the leaf certificate. The analytic may be modified to look for all xn--, or utilize a network IDS/monitoring tool like Zeek or Suricata to drill down into cert captured. Note for Suricata, the certificate is base64 encoded and will need to be decoded to capture the punycode (punycode will need to be decoded after). +known_false_positives: False positives may be present if the organization works with international businesses. Filter as needed. references: - https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117 - https://github.com/corelight/CVE-2022-3602/tree/master/scripts @@ -37,8 +23,7 @@ tags: asset_type: Network confidence: 30 impact: 50 - message: A x509 certificate has been identified to have punycode in the subject - alternative name on $dest$. + message: A x509 certificate has been identified to have punycode in the subject alternative name on $dest$. mitre_attack_id: - T1573 observable: diff --git a/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml b/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml index 38c5770faf..e037a0f524 100644 --- a/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml +++ b/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml @@ -16,12 +16,12 @@ references: - https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml - https://github.com/rapid7/metasploit-framework/pull/18708/files drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/adobe_coldfusion_access_control_bypass.yml b/detections/web/adobe_coldfusion_access_control_bypass.yml index e0813ae4c5..1505341e33 100644 --- a/detections/web/adobe_coldfusion_access_control_bypass.yml +++ b/detections/web/adobe_coldfusion_access_control_bypass.yml @@ -14,12 +14,12 @@ known_false_positives: This analytic is limited to HTTP Status 200; adjust as ne references: - https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml b/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml index b96589040a..350e5ad03e 100644 --- a/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml +++ b/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml @@ -15,12 +15,12 @@ references: - https://www.rapid7.com/db/modules/auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360/ - https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-26360.yaml drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/cisco_ios_xe_implant_access.yml b/detections/web/cisco_ios_xe_implant_access.yml index dd492e8862..a6875a7e59 100644 --- a/detections/web/cisco_ios_xe_implant_access.yml +++ b/detections/web/cisco_ios_xe_implant_access.yml @@ -15,12 +15,12 @@ references: - https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/ - https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml b/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml index 26ebc7498e..458dfc00a1 100644 --- a/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml +++ b/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml @@ -15,12 +15,12 @@ references: - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/citrix_adc_exploitation_cve_2023_3519.yml b/detections/web/citrix_adc_exploitation_cve_2023_3519.yml index 459d5b6132..cf0903a163 100644 --- a/detections/web/citrix_adc_exploitation_cve_2023_3519.yml +++ b/detections/web/citrix_adc_exploitation_cve_2023_3519.yml @@ -7,23 +7,10 @@ status: production type: Hunting data_source: - Palo Alto Network Threat -description: The following analytic identifies potential exploitation attempts against - Citrix ADC related to CVE-2023-3519. It detects POST requests to specific web endpoints - associated with this vulnerability by leveraging the Web datamodel. This activity - is significant as CVE-2023-3519 involves a SAML processing overflow issue that can - lead to memory corruption, posing a high risk. If confirmed malicious, attackers - could exploit this to execute arbitrary code, escalate privileges, or disrupt services, - making it crucial for SOC analysts to monitor and investigate these alerts promptly. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web - where Web.url IN ("*/saml/login","/cgi/samlauth","*/saml/activelogin","/cgi/samlart?samlart=*","*/cgi/logout","/gwtest/formssso?event=start&target=*","/netscaler/ns_gui/vpn/*") Web.http_method=POST - by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, - Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `citrix_adc_exploitation_cve_2023_3519_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a - supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk - for Palo Alto. -known_false_positives: False positives may be present based on organization use of - SAML utilities. Filter, or restrict the analytic to Citrix devices only. +description: The following analytic identifies potential exploitation attempts against Citrix ADC related to CVE-2023-3519. It detects POST requests to specific web endpoints associated with this vulnerability by leveraging the Web datamodel. This activity is significant as CVE-2023-3519 involves a SAML processing overflow issue that can lead to memory corruption, posing a high risk. If confirmed malicious, attackers could exploit this to execute arbitrary code, escalate privileges, or disrupt services, making it crucial for SOC analysts to monitor and investigate these alerts promptly. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/saml/login","/cgi/samlauth","*/saml/activelogin","/cgi/samlart?samlart=*","*/cgi/logout","/gwtest/formssso?event=start&target=*","/netscaler/ns_gui/vpn/*") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_exploitation_cve_2023_3519_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. +known_false_positives: False positives may be present based on organization use of SAML utilities. Filter, or restrict the analytic to Citrix devices only. references: - https://blog.assetnote.io/2023/07/21/citrix-CVE-2023-3519-analysis/ - https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467 @@ -63,7 +50,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve20233519.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve20233519.log source: pan:threat sourcetype: pan:threat diff --git a/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml b/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml index 7cc6405a10..6757ed3488 100644 --- a/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml +++ b/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml @@ -7,29 +7,10 @@ status: production type: Hunting data_source: - Suricata -description: The following analytic detects potentially malicious file upload attempts - to Citrix ShareFile via specific suspicious URLs and the HTTP POST method. It leverages - the Web datamodel to identify URL patterns such as "/documentum/upload.aspx?parentid=", - "/documentum/upload.aspx?filename=", and "/documentum/upload.aspx?uploadId=*", combined - with the HTTP POST method. This activity is significant for a SOC as it may indicate - an attempt to upload harmful scripts or content, potentially compromising the Documentum - application. If confirmed malicious, this could lead to unauthorized access, data - breaches, and operational disruptions. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web - where Web.url="/documentum/upload.aspx?*" AND Web.url IN ("*parentid=*","*filename=*","*uploadId=*") - AND Web.url IN ("*unzip=*", "*raw=*") Web.http_method=POST by Web.http_user_agent, - Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `citrix_sharefile_exploitation_cve_2023_24489_filter`' -how_to_implement: Dependent upon the placement of the ShareFile application, ensure - the latest Technology Add-On is eneabled. This detection requires the Web datamodel - to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, - Splunk for Nginx, or Splunk for Palo Alto. The ShareFile application is IIS based, - therefore ingesting IIS logs and reviewing for the same pattern would identify this - activity, successful or not. -known_false_positives: False positives may be present, filtering may be needed. Also, - restricting to known web servers running IIS or ShareFile will change this from - Hunting to TTP. +description: The following analytic detects potentially malicious file upload attempts to Citrix ShareFile via specific suspicious URLs and the HTTP POST method. It leverages the Web datamodel to identify URL patterns such as "/documentum/upload.aspx?parentid=", "/documentum/upload.aspx?filename=", and "/documentum/upload.aspx?uploadId=*", combined with the HTTP POST method. This activity is significant for a SOC as it may indicate an attempt to upload harmful scripts or content, potentially compromising the Documentum application. If confirmed malicious, this could lead to unauthorized access, data breaches, and operational disruptions. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="/documentum/upload.aspx?*" AND Web.url IN ("*parentid=*","*filename=*","*uploadId=*") AND Web.url IN ("*unzip=*", "*raw=*") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `citrix_sharefile_exploitation_cve_2023_24489_filter`' +how_to_implement: Dependent upon the placement of the ShareFile application, ensure the latest Technology Add-On is eneabled. This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. The ShareFile application is IIS based, therefore ingesting IIS logs and reviewing for the same pattern would identify this activity, successful or not. +known_false_positives: False positives may be present, filtering may be needed. Also, restricting to known web servers running IIS or ShareFile will change this from Hunting to TTP. references: - https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/ tags: @@ -65,7 +46,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve_2023_24489.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve_2023_24489.log source: suricata sourcetype: suricata diff --git a/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml b/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml index 734b9608da..83031961a7 100644 --- a/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml +++ b/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml @@ -16,12 +16,12 @@ references: - https://x.com/Shadowserver/status/1712378833536741430?s=20 - https://github.com/j3seer/CVE-2023-22515-POC drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/confluence_data_center_and_server_privilege_escalation.yml b/detections/web/confluence_data_center_and_server_privilege_escalation.yml index eef1c19935..50aa9ffeff 100644 --- a/detections/web/confluence_data_center_and_server_privilege_escalation.yml +++ b/detections/web/confluence_data_center_and_server_privilege_escalation.yml @@ -17,12 +17,12 @@ references: - https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/ - https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml b/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml index c9baed52de..48465131a3 100644 --- a/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml +++ b/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml @@ -15,12 +15,12 @@ references: - https://github.com/cleverg0d/CVE-2023-22527 - https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml b/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml index 4bc46b2b8a..a52d29344d 100644 --- a/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml +++ b/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml @@ -17,12 +17,12 @@ references: - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/ - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/connectwise_screenconnect_authentication_bypass.yml b/detections/web/connectwise_screenconnect_authentication_bypass.yml index 361dad87d9..86c4aa0f06 100644 --- a/detections/web/connectwise_screenconnect_authentication_bypass.yml +++ b/detections/web/connectwise_screenconnect_authentication_bypass.yml @@ -16,12 +16,12 @@ references: - https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2 - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml b/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml index 4f6e78a8a0..698d5999fe 100644 --- a/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml +++ b/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml @@ -5,24 +5,11 @@ date: '2024-10-17' author: Bhavin Patel, Splunk status: experimental type: TTP -description: The following analytic identifies specific GET or HEAD requests to web - servers that indicate reconnaissance attempts to find vulnerable JBoss servers. - It leverages data from the Web data model, focusing on HTTP methods and URLs associated - with JBoss management interfaces. This activity is significant because it often - precedes exploitation attempts using tools like JexBoss, which can compromise the - server. If confirmed malicious, attackers could gain unauthorized access, execute - arbitrary code, or escalate privileges, leading to potential data breaches and system - compromise. +description: The following analytic identifies specific GET or HEAD requests to web servers that indicate reconnaissance attempts to find vulnerable JBoss servers. It leverages data from the Web data model, focusing on HTTP methods and URLs associated with JBoss management interfaces. This activity is significant because it often precedes exploitation attempts using tools like JexBoss, which can compromise the server. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or escalate privileges, leading to potential data breaches and system compromise. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Web where (Web.http_method="GET" OR Web.http_method="HEAD") - AND (Web.url="*/web-console/ServerInfo.jsp*" OR Web.url="*web-console*" OR Web.url="*jmx-console*" - OR Web.url = "*invoker*") by Web.http_method, Web.url, Web.src, Web.dest | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_attackers_scanning_for_vulnerable_jboss_servers_filter`' -how_to_implement: You must be ingesting data from the web server or network traffic - that contains web specific information, and populating the Web data model. -known_false_positives: It's possible for legitimate HTTP requests to be made to URLs - containing the suspicious paths. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method="GET" OR Web.http_method="HEAD") AND (Web.url="*/web-console/ServerInfo.jsp*" OR Web.url="*web-console*" OR Web.url="*jmx-console*" OR Web.url = "*invoker*") by Web.http_method, Web.url, Web.src, Web.dest | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_attackers_scanning_for_vulnerable_jboss_servers_filter`' +how_to_implement: You must be ingesting data from the web server or network traffic that contains web specific information, and populating the Web data model. +known_false_positives: It's possible for legitimate HTTP requests to be made to URLs containing the suspicious paths. references: [] tags: analytic_story: diff --git a/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml b/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml index 06ed4b666b..12411042b2 100644 --- a/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml +++ b/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml @@ -5,23 +5,10 @@ date: '2024-10-17' author: Shannon Davis, Splunk status: experimental type: TTP -description: The following analytic identifies remote code execution (RCE) attempts - targeting F5 BIG-IP, BIG-IQ, and Traffix SDC devices, specifically exploiting CVE-2020-5902. - It uses regex to detect patterns in syslog data that match known exploit strings - such as "hsqldb;" and directory traversal sequences. This activity is significant - because successful exploitation can allow attackers to execute arbitrary commands - on the affected devices, leading to full system compromise. If confirmed malicious, - this could result in unauthorized access, data exfiltration, or further lateral - movement within the network. +description: The following analytic identifies remote code execution (RCE) attempts targeting F5 BIG-IP, BIG-IQ, and Traffix SDC devices, specifically exploiting CVE-2020-5902. It uses regex to detect patterns in syslog data that match known exploit strings such as "hsqldb;" and directory traversal sequences. This activity is significant because successful exploitation can allow attackers to execute arbitrary commands on the affected devices, leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, or further lateral movement within the network. data_source: [] search: '`f5_bigip_rogue` | regex _raw="(hsqldb;|.*\\.\\.;.*)" | search `detect_f5_tmui_rce_cve_2020_5902_filter`' -how_to_implement: To consistently detect exploit attempts on F5 devices using the - vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs - via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, - detections via wire data may not pick anything up unless you are decrypting SSL - traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation - technique to try and always catch the offending string (..;), along with the other - exploit of using (hsqldb;). +how_to_implement: To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;). known_false_positives: unknown references: - https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/ diff --git a/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml b/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml index 2df8d1115f..cfdf6e52a6 100644 --- a/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml +++ b/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml @@ -5,24 +5,10 @@ date: '2024-10-17' author: Bhavin Patel, Splunk status: experimental type: TTP -description: The following analytic identifies malicious HTTP requests targeting the - jmx-console in JBoss servers. It detects unusually long URLs, indicative of embedded - payloads, by analyzing web server logs for GET or HEAD requests with specific URL - patterns and lengths. This activity is significant as it may indicate an attempt - to exploit JBoss vulnerabilities, potentially leading to unauthorized remote code - execution. If confirmed malicious, attackers could gain control over the server, - escalate privileges, and compromise sensitive data, posing a severe threat to the - organization's security. +description: The following analytic identifies malicious HTTP requests targeting the jmx-console in JBoss servers. It detects unusually long URLs, indicative of embedded payloads, by analyzing web server logs for GET or HEAD requests with specific URL patterns and lengths. This activity is significant as it may indicate an attempt to exploit JBoss vulnerabilities, potentially leading to unauthorized remote code execution. If confirmed malicious, attackers could gain control over the server, escalate privileges, and compromise sensitive data, posing a severe threat to the organization's security. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Web where (Web.http_method="GET" OR Web.http_method="HEAD") - by Web.http_method, Web.url,Web.url_length Web.src, Web.dest | search Web.url="*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*" - AND Web.url_length > 200 | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | table src, dest_ip, http_method, url, firstTime, - lastTime | `detect_malicious_requests_to_exploit_jboss_servers_filter`' -how_to_implement: You must ingest data from the web server or capture network data - that contains web specific information with solutions such as Bro or Splunk Stream, - and populating the Web data model +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method="GET" OR Web.http_method="HEAD") by Web.http_method, Web.url,Web.url_length Web.src, Web.dest | search Web.url="*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*" AND Web.url_length > 200 | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, dest_ip, http_method, url, firstTime, lastTime | `detect_malicious_requests_to_exploit_jboss_servers_filter`' +how_to_implement: You must ingest data from the web server or capture network data that contains web specific information with solutions such as Bro or Splunk Stream, and populating the Web data model known_false_positives: No known false positives for this detection. references: [] tags: diff --git a/detections/web/detect_remote_access_software_usage_url.yml b/detections/web/detect_remote_access_software_usage_url.yml index a668b2ca0b..6cb8d99dfd 100644 --- a/detections/web/detect_remote_access_software_usage_url.yml +++ b/detections/web/detect_remote_access_software_usage_url.yml @@ -16,12 +16,12 @@ references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ drilldown_searches: -- name: View the detection results for $src$ and $user$ - search: '%original_detection_search% | search src = $src$ user = $user$' +- name: View the detection results for - "$src$" and "$user$" + search: '%original_detection_search% | search src = "$src$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/exploit_public_facing_application_via_apache_commons_text.yml b/detections/web/exploit_public_facing_application_via_apache_commons_text.yml index 9fb690caf9..4248e7a77f 100644 --- a/detections/web/exploit_public_facing_application_via_apache_commons_text.yml +++ b/detections/web/exploit_public_facing_application_via_apache_commons_text.yml @@ -19,12 +19,12 @@ references: - https://github.com/kljunowsky/CVE-2022-42889-text4shell - https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml b/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml index 837818cc0e..9be6407d0a 100644 --- a/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml +++ b/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml @@ -16,12 +16,12 @@ references: - https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/ - https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/f5_tmui_authentication_bypass.yml b/detections/web/f5_tmui_authentication_bypass.yml index 52cee3881f..4043d71792 100644 --- a/detections/web/f5_tmui_authentication_bypass.yml +++ b/detections/web/f5_tmui_authentication_bypass.yml @@ -15,12 +15,12 @@ references: - https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/ - https://github.com/projectdiscovery/nuclei-templates/blob/3b0bb71bd627c6c3139e1d06c866f8402aa228ae/http/cves/2023/CVE-2023-46747.yaml drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/fortinet_appliance_auth_bypass.yml b/detections/web/fortinet_appliance_auth_bypass.yml index e68ce9cb33..1a65dc6f2e 100644 --- a/detections/web/fortinet_appliance_auth_bypass.yml +++ b/detections/web/fortinet_appliance_auth_bypass.yml @@ -19,12 +19,12 @@ references: - https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis - https://github.com/rapid7/metasploit-framework/pull/17143 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/hunting_for_log4shell.yml b/detections/web/hunting_for_log4shell.yml index 5928a7643d..f88aa46263 100644 --- a/detections/web/hunting_for_log4shell.yml +++ b/detections/web/hunting_for_log4shell.yml @@ -5,36 +5,12 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: 'The following analytic detects potential exploitation attempts of the - Log4Shell vulnerability (CVE-2021-44228) by analyzing HTTP headers for specific - patterns. It leverages the Web Datamodel and evaluates various indicators such as - the presence of `{jndi:`, environment variables, and common URI paths. This detection - is significant as Log4Shell allows remote code execution, posing a severe threat - to systems. If confirmed malicious, attackers could gain unauthorized access, execute - arbitrary code, and potentially compromise sensitive data, leading to extensive - damage and data breaches.' +description: The following analytic detects potential exploitation attempts of the Log4Shell vulnerability (CVE-2021-44228) by analyzing HTTP headers for specific patterns. It leverages the Web Datamodel and evaluates various indicators such as the presence of `{jndi:`, environment variables, and common URI paths. This detection is significant as Log4Shell allows remote code execution, posing a severe threat to systems. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and potentially compromise sensitive data, leading to extensive damage and data breaches. data_source: - Nginx Access -search: '| from datamodel Web.Web | eval jndi=if(match(_raw, "(\{|%7B)[jJnNdDiI]{4}:"),4,0) - | eval jndi_fastmatch=if(match(_raw, "[jJnNdDiI]{4}"),2,0) | eval jndi_proto=if(match(_raw,"(?i)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|https):"),5,0) - | eval all_match = if(match(_raw, "(?i)(%(25){0,}20|\s)*(%(25){0,}24|\$)(%(25){0,}20|\s)*(%(25){0,}7B|{)(%(25){0,}20|\s)*(%(25){0,}(6A|4A)|J)(%(25){0,}(6E|4E)|N)(%(25){0,}(64|44)|D)(%(25){0,}(69|49)|I)(%(25){0,}20|\s)*(%(25){0,}3A|:)[\w\%]+(%(25){1,}3A|:)(%(25){1,}2F|\/)[^\n]+"),5,0) - | eval env_var = if(match(_raw, "env:") OR match(_raw, "env:AWS_ACCESS_KEY_ID") - OR match(_raw, "env:AWS_SECRET_ACCESS_KEY"),5,0) | eval uridetect = if(match(_raw, - "(?i)Basic\/Command\/Base64|Basic\/ReverseShell|Basic\/TomcatMemshell|Basic\/JBossMemshell|Basic\/WebsphereMemshell|Basic\/SpringMemshell|Basic\/Command|Deserialization\/CommonsCollectionsK|Deserialization\/CommonsBeanutils|Deserialization\/Jre8u20\/TomcatMemshell|Deserialization\/CVE_2020_2555\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass"),4,0) - | eval keywords = if(match(_raw,"(?i)\$\{ctx\:loginId\}|\$\{map\:type\}|\$\{filename\}|\$\{date\:MM-dd-yyyy\}|\$\{docker\:containerId\}|\$\{docker\:containerName\}|\$\{docker\:imageName\}|\$\{env\:USER\}|\$\{event\:Marker\}|\$\{mdc\:UserId\}|\$\{java\:runtime\}|\$\{java\:vm\}|\$\{java\:os\}|\$\{jndi\:logging/context-name\}|\$\{hostName\}|\$\{docker\:containerId\}|\$\{k8s\:accountName\}|\$\{k8s\:clusterName\}|\$\{k8s\:containerId\}|\$\{k8s\:containerName\}|\$\{k8s\:host\}|\$\{k8s\:labels.app\}|\$\{k8s\:labels.podTemplateHash\}|\$\{k8s\:masterUrl\}|\$\{k8s\:namespaceId\}|\$\{k8s\:namespaceName\}|\$\{k8s\:podId\}|\$\{k8s\:podIp\}|\$\{k8s\:podName\}|\$\{k8s\:imageId\}|\$\{k8s\:imageName\}|\$\{log4j\:configLocation\}|\$\{log4j\:configParentLocation\}|\$\{spring\:spring.application.name\}|\$\{main\:myString\}|\$\{main\:0\}|\$\{main\:1\}|\$\{main\:2\}|\$\{main\:3\}|\$\{main\:4\}|\$\{main\:bar\}|\$\{name\}|\$\{marker\}|\$\{marker\:name\}|\$\{spring\:profiles.active[0]|\$\{sys\:logPath\}|\$\{web\:rootDir\}|\$\{sys\:user.name\}"),4,0) - | eval obf = if(match(_raw, "(\$|%24)[^ /]*({|%7b)[^ /]*(j|%6a)[^ /]*(n|%6e)[^ /]*(d|%64)[^ - /]*(i|%69)[^ /]*(:|%3a)[^ /]*(:|%3a)[^ /]*(/|%2f)"),5,0) | eval lookups = if(match(_raw, - "(?i)({|%7b)(main|sys|k8s|spring|lower|upper|env|date|sd)"),4,0) | addtotals fieldname=Score, - jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, obf, - lookups | where Score > 2 | stats values(Score) by jndi, jndi_proto, env_var, uridetect, - all_match, jndi_fastmatch, keywords, lookups, obf, dest, src, http_method, _raw - | `hunting_for_log4shell_filter`' -how_to_implement: Out of the box, the Web datamodel is required to be pre-filled. - However, tested was performed against raw httpd access logs. Change the first line - to any dataset to pass the regex's against. -known_false_positives: It is highly possible you will find false positives, however, - the base score is set to 2 for _any_ jndi found in raw logs. tune and change as - needed, include any filtering. +search: '| from datamodel Web.Web | eval jndi=if(match(_raw, "(\{|%7B)[jJnNdDiI]{4}:"),4,0) | eval jndi_fastmatch=if(match(_raw, "[jJnNdDiI]{4}"),2,0) | eval jndi_proto=if(match(_raw,"(?i)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|https):"),5,0) | eval all_match = if(match(_raw, "(?i)(%(25){0,}20|\s)*(%(25){0,}24|\$)(%(25){0,}20|\s)*(%(25){0,}7B|{)(%(25){0,}20|\s)*(%(25){0,}(6A|4A)|J)(%(25){0,}(6E|4E)|N)(%(25){0,}(64|44)|D)(%(25){0,}(69|49)|I)(%(25){0,}20|\s)*(%(25){0,}3A|:)[\w\%]+(%(25){1,}3A|:)(%(25){1,}2F|\/)[^\n]+"),5,0) | eval env_var = if(match(_raw, "env:") OR match(_raw, "env:AWS_ACCESS_KEY_ID") OR match(_raw, "env:AWS_SECRET_ACCESS_KEY"),5,0) | eval uridetect = if(match(_raw, "(?i)Basic\/Command\/Base64|Basic\/ReverseShell|Basic\/TomcatMemshell|Basic\/JBossMemshell|Basic\/WebsphereMemshell|Basic\/SpringMemshell|Basic\/Command|Deserialization\/CommonsCollectionsK|Deserialization\/CommonsBeanutils|Deserialization\/Jre8u20\/TomcatMemshell|Deserialization\/CVE_2020_2555\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass"),4,0) | eval keywords = if(match(_raw,"(?i)\$\{ctx\:loginId\}|\$\{map\:type\}|\$\{filename\}|\$\{date\:MM-dd-yyyy\}|\$\{docker\:containerId\}|\$\{docker\:containerName\}|\$\{docker\:imageName\}|\$\{env\:USER\}|\$\{event\:Marker\}|\$\{mdc\:UserId\}|\$\{java\:runtime\}|\$\{java\:vm\}|\$\{java\:os\}|\$\{jndi\:logging/context-name\}|\$\{hostName\}|\$\{docker\:containerId\}|\$\{k8s\:accountName\}|\$\{k8s\:clusterName\}|\$\{k8s\:containerId\}|\$\{k8s\:containerName\}|\$\{k8s\:host\}|\$\{k8s\:labels.app\}|\$\{k8s\:labels.podTemplateHash\}|\$\{k8s\:masterUrl\}|\$\{k8s\:namespaceId\}|\$\{k8s\:namespaceName\}|\$\{k8s\:podId\}|\$\{k8s\:podIp\}|\$\{k8s\:podName\}|\$\{k8s\:imageId\}|\$\{k8s\:imageName\}|\$\{log4j\:configLocation\}|\$\{log4j\:configParentLocation\}|\$\{spring\:spring.application.name\}|\$\{main\:myString\}|\$\{main\:0\}|\$\{main\:1\}|\$\{main\:2\}|\$\{main\:3\}|\$\{main\:4\}|\$\{main\:bar\}|\$\{name\}|\$\{marker\}|\$\{marker\:name\}|\$\{spring\:profiles.active[0]|\$\{sys\:logPath\}|\$\{web\:rootDir\}|\$\{sys\:user.name\}"),4,0) | eval obf = if(match(_raw, "(\$|%24)[^ /]*({|%7b)[^ /]*(j|%6a)[^ /]*(n|%6e)[^ /]*(d|%64)[^ /]*(i|%69)[^ /]*(:|%3a)[^ /]*(:|%3a)[^ /]*(/|%2f)"),5,0) | eval lookups = if(match(_raw, "(?i)({|%7b)(main|sys|k8s|spring|lower|upper|env|date|sd)"),4,0) | addtotals fieldname=Score, jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, obf, lookups | where Score > 2 | stats values(Score) by jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, lookups, obf, dest, src, http_method, _raw | `hunting_for_log4shell_filter`' +how_to_implement: Out of the box, the Web datamodel is required to be pre-filled. However, tested was performed against raw httpd access logs. Change the first line to any dataset to pass the regex's against. +known_false_positives: It is highly possible you will find false positives, however, the base score is set to 2 for _any_ jndi found in raw logs. tune and change as needed, include any filtering. references: - https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72 - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#gistcomment-3994449 @@ -77,7 +53,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/log4shell-nginx.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/log4shell-nginx.log source: /var/log/nginx/access.log sourcetype: nginx:plus:kv diff --git a/detections/web/ivanti_connect_secure_command_injection_attempts.yml b/detections/web/ivanti_connect_secure_command_injection_attempts.yml index d058155eb0..8ee52267fe 100644 --- a/detections/web/ivanti_connect_secure_command_injection_attempts.yml +++ b/detections/web/ivanti_connect_secure_command_injection_attempts.yml @@ -19,12 +19,12 @@ references: - https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/ - https://twitter.com/GreyNoiseIO/status/1747711939466453301 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml b/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml index 2e4945397f..fea7dd1e5a 100644 --- a/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml +++ b/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml @@ -15,12 +15,12 @@ references: - https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis - https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml b/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml index 5ac86eb0c4..b1ebe01e67 100644 --- a/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml +++ b/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml @@ -16,12 +16,12 @@ references: - https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml - https://github.com/rapid7/metasploit-framework/pull/18708/files drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml b/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml index 8e34da6e28..b169b8f64d 100644 --- a/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml +++ b/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml @@ -16,12 +16,12 @@ references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29824 - https://github.com/projectdiscovery/nuclei-templates/pull/10020/files drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml index b6500db7c5..3ee8811f44 100644 --- a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml +++ b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml @@ -15,12 +15,12 @@ references: - https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US - https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml index b3e53be7cb..0b625239ee 100644 --- a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml +++ b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml @@ -16,12 +16,12 @@ references: - https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py - https://www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/ivanti_sentry_authentication_bypass.yml b/detections/web/ivanti_sentry_authentication_bypass.yml index 5d25ce2982..aeb8b3bac2 100644 --- a/detections/web/ivanti_sentry_authentication_bypass.yml +++ b/detections/web/ivanti_sentry_authentication_bypass.yml @@ -16,12 +16,12 @@ references: - https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/ - https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml b/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml index b3d75d7f8c..679b22107d 100644 --- a/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml +++ b/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml @@ -20,12 +20,12 @@ references: - https://www.shodan.io/search?query=product%3A%22Jenkins%22 - https://thehackernews.com/2024/01/critical-jenkins-vulnerability-exposes.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml b/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml index 0076e0bdf7..796be2da3e 100644 --- a/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml +++ b/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml @@ -18,12 +18,12 @@ references: - https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/ - https://github.com/yoryio/CVE-2024-27198/blob/main/CVE-2024-27198.py drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml b/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml index 6d1cf1a6ce..cb2b785167 100644 --- a/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml +++ b/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml @@ -17,12 +17,12 @@ references: - https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/ - https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml b/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml index 40dfb7e794..094ff34444 100644 --- a/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml +++ b/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml @@ -17,12 +17,12 @@ references: - https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/ - https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/jetbrains_teamcity_rce_attempt.yml b/detections/web/jetbrains_teamcity_rce_attempt.yml index d67e3a26e5..0b5bce816f 100644 --- a/detections/web/jetbrains_teamcity_rce_attempt.yml +++ b/detections/web/jetbrains_teamcity_rce_attempt.yml @@ -17,12 +17,12 @@ references: - https://github.com/rapid7/metasploit-framework/pull/18408 - https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml b/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml index 81514761e0..afdb073b1f 100644 --- a/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml +++ b/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml @@ -19,12 +19,12 @@ references: - https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/ - https://vulncheck.com/blog/juniper-cve-2023-36845 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/log4shell_jndi_payload_injection_attempt.yml b/detections/web/log4shell_jndi_payload_injection_attempt.yml index 9fd5015ba7..5cec66ffc9 100644 --- a/detections/web/log4shell_jndi_payload_injection_attempt.yml +++ b/detections/web/log4shell_jndi_payload_injection_attempt.yml @@ -14,12 +14,12 @@ known_false_positives: If there is a vulnerablility scannner looking for log4she references: - https://www.lunasec.io/docs/blog/log4j-zero-day/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml index c9cc7ca9d0..ea36371aff 100644 --- a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml +++ b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml @@ -13,12 +13,12 @@ known_false_positives: If there is a vulnerablility scannner looking for log4she references: - https://www.lunasec.io/docs/blog/log4j-zero-day/ drilldown_searches: -- name: View the detection results for $user$ and $dest$ - search: '%original_detection_search% | search user = $user$ dest = $dest$' +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $user$ and $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml b/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml index 7399f318ab..05f63dac19 100644 --- a/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml +++ b/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml @@ -15,12 +15,12 @@ references: - https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/ - https://github.com/LuemmelSec/CVE-2023-29357/blob/main/CVE-2023-29357/Program.cs drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/monitor_web_traffic_for_brand_abuse.yml b/detections/web/monitor_web_traffic_for_brand_abuse.yml index d9df90fd24..76576b90d2 100644 --- a/detections/web/monitor_web_traffic_for_brand_abuse.yml +++ b/detections/web/monitor_web_traffic_for_brand_abuse.yml @@ -5,22 +5,10 @@ date: '2024-10-17' author: David Dorsey, Splunk status: experimental type: TTP -description: The following analytic identifies web requests to domains that closely - resemble your monitored brand's domain, indicating potential brand abuse. It leverages - data from web traffic sources, such as web proxies or network traffic analysis tools, - and cross-references these with known domain permutations generated by the "ESCU - - DNSTwist Domain Names" search. This activity is significant as it can indicate - phishing attempts or other malicious activities targeting your brand. If confirmed - malicious, attackers could deceive users, steal credentials, or distribute malware, - leading to significant reputational and financial damage. +description: The following analytic identifies web requests to domains that closely resemble your monitored brand's domain, indicating potential brand abuse. It leverages data from web traffic sources, such as web proxies or network traffic analysis tools, and cross-references these with known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. This activity is significant as it can indicate phishing attempts or other malicious activities targeting your brand. If confirmed malicious, attackers could deceive users, steal credentials, or distribute malware, leading to significant reputational and financial damage. data_source: [] -search: '| tstats `security_content_summariesonly` values(Web.url) as urls min(_time) - as firstTime from datamodel=Web by Web.src | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` - | `brand_abuse_web` | `monitor_web_traffic_for_brand_abuse_filter`' -how_to_implement: You need to ingest data from your web traffic. This can be accomplished - by indexing data from a web proxy, or using a network traffic analysis tool, such - as Bro or Splunk Stream. You also need to have run the search "ESCU - DNSTwist Domain - Names", which creates the permutations of the domain that will be checked for. +search: '| tstats `security_content_summariesonly` values(Web.url) as urls min(_time) as firstTime from datamodel=Web by Web.src | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `brand_abuse_web` | `monitor_web_traffic_for_brand_abuse_filter`' +how_to_implement: You need to ingest data from your web traffic. This can be accomplished by indexing data from a web proxy, or using a network traffic analysis tool, such as Bro or Splunk Stream. You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for. known_false_positives: None at this time references: [] tags: diff --git a/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml b/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml index ea4ada6b3c..138580f5a6 100644 --- a/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml +++ b/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml @@ -18,12 +18,12 @@ references: - https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2 - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/papercut_ng_remote_web_access_attempt.yml b/detections/web/papercut_ng_remote_web_access_attempt.yml index 747e1a62b8..1be5f5b538 100644 --- a/detections/web/papercut_ng_remote_web_access_attempt.yml +++ b/detections/web/papercut_ng_remote_web_access_attempt.yml @@ -18,12 +18,12 @@ references: - https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/ - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/proxyshell_proxynotshell_behavior_detected.yml b/detections/web/proxyshell_proxynotshell_behavior_detected.yml index d90f7b8564..3b8628a558 100644 --- a/detections/web/proxyshell_proxynotshell_behavior_detected.yml +++ b/detections/web/proxyshell_proxynotshell_behavior_detected.yml @@ -14,12 +14,12 @@ references: - https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html - https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/ drilldown_searches: -- name: View the detection results for $risk_object$ - search: '%original_detection_search% | search risk_object = $risk_object$' +- name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $risk_object$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($risk_object$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/spring4shell_payload_url_request.yml b/detections/web/spring4shell_payload_url_request.yml index f84a05ed73..cf5c4727c9 100644 --- a/detections/web/spring4shell_payload_url_request.yml +++ b/detections/web/spring4shell_payload_url_request.yml @@ -16,12 +16,12 @@ references: - https://github.com/TheGejr/SpringShell - https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/sql_injection_with_long_urls.yml b/detections/web/sql_injection_with_long_urls.yml index f3a49187bc..0e6a678a17 100644 --- a/detections/web/sql_injection_with_long_urls.yml +++ b/detections/web/sql_injection_with_long_urls.yml @@ -5,36 +5,11 @@ date: '2024-10-17' author: Bhavin Patel, Splunk status: experimental type: TTP -description: "The following analytic detects long URLs containing multiple SQL commands, - indicating a potential SQL injection attack. This detection leverages web traffic - data, specifically targeting web server destinations with URLs longer than 1024 - characters or HTTP user agents longer than 200 characters. SQL injection is significant - as it allows attackers to manipulate a web application's database, potentially leading - to unauthorized data access or modification. If confirmed malicious, this activity - could result in data breaches, unauthorized access, and complete system compromise. - Immediate investigation and validation of alerts are crucial to mitigate these risks." +description: The following analytic detects long URLs containing multiple SQL commands, indicating a potential SQL injection attack. This detection leverages web traffic data, specifically targeting web server destinations with URLs longer than 1024 characters or HTTP user agents longer than 200 characters. SQL injection is significant as it allows attackers to manipulate a web application's database, potentially leading to unauthorized data access or modification. If confirmed malicious, this activity could result in data breaches, unauthorized access, and complete system compromise. Immediate investigation and validation of alerts are crucial to mitigate these risks. data_source: [] -search: '| tstats `security_content_summariesonly` count from datamodel=Web where - Web.dest_category=web_server AND (Web.url_length > 1024 OR Web.http_user_agent_length - > 200) by Web.src Web.dest Web.url Web.url_length Web.http_user_agent | `drop_dm_object_name("Web")` - | eval url=lower(url) | eval num_sql_cmds=mvcount(split(url, "alter%20table")) + - mvcount(split(url, "between")) + mvcount(split(url, "create%20table")) + mvcount(split(url, - "create%20database")) + mvcount(split(url, "create%20index")) + mvcount(split(url, - "create%20view")) + mvcount(split(url, "delete")) + mvcount(split(url, "drop%20database")) - + mvcount(split(url, "drop%20index")) + mvcount(split(url, "drop%20table")) + mvcount(split(url, - "exists")) + mvcount(split(url, "exec")) + mvcount(split(url, "group%20by")) + mvcount(split(url, - "having")) + mvcount(split(url, "insert%20into")) + mvcount(split(url, "inner%20join")) - + mvcount(split(url, "left%20join")) + mvcount(split(url, "right%20join")) + mvcount(split(url, - "full%20join")) + mvcount(split(url, "select")) + mvcount(split(url, "distinct")) - + mvcount(split(url, "select%20top")) + mvcount(split(url, "union")) + mvcount(split(url, - "xp_cmdshell")) - 24 | where num_sql_cmds > 3 | `sql_injection_with_long_urls_filter`' -how_to_implement: To successfully implement this search, you need to be monitoring - network communications to your web servers or ingesting your HTTP logs and populating - the Web data model. You must also identify your web servers in the Enterprise Security - assets table. -known_false_positives: It's possible that legitimate traffic will have long URLs or - long user agent strings and that common SQL commands may be found within the URL. - Please investigate as appropriate. +search: '| tstats `security_content_summariesonly` count from datamodel=Web where Web.dest_category=web_server AND (Web.url_length > 1024 OR Web.http_user_agent_length > 200) by Web.src Web.dest Web.url Web.url_length Web.http_user_agent | `drop_dm_object_name("Web")` | eval url=lower(url) | eval num_sql_cmds=mvcount(split(url, "alter%20table")) + mvcount(split(url, "between")) + mvcount(split(url, "create%20table")) + mvcount(split(url, "create%20database")) + mvcount(split(url, "create%20index")) + mvcount(split(url, "create%20view")) + mvcount(split(url, "delete")) + mvcount(split(url, "drop%20database")) + mvcount(split(url, "drop%20index")) + mvcount(split(url, "drop%20table")) + mvcount(split(url, "exists")) + mvcount(split(url, "exec")) + mvcount(split(url, "group%20by")) + mvcount(split(url, "having")) + mvcount(split(url, "insert%20into")) + mvcount(split(url, "inner%20join")) + mvcount(split(url, "left%20join")) + mvcount(split(url, "right%20join")) + mvcount(split(url, "full%20join")) + mvcount(split(url, "select")) + mvcount(split(url, "distinct")) + mvcount(split(url, "select%20top")) + mvcount(split(url, "union")) + mvcount(split(url, "xp_cmdshell")) - 24 | where num_sql_cmds > 3 | `sql_injection_with_long_urls_filter`' +how_to_implement: To successfully implement this search, you need to be monitoring network communications to your web servers or ingesting your HTTP logs and populating the Web data model. You must also identify your web servers in the Enterprise Security assets table. +known_false_positives: It's possible that legitimate traffic will have long URLs or long user agent strings and that common SQL commands may be found within the URL. Please investigate as appropriate. references: [] tags: analytic_story: diff --git a/detections/web/supernova_webshell.yml b/detections/web/supernova_webshell.yml index 0edfd0dd8f..f34d8d78d0 100644 --- a/detections/web/supernova_webshell.yml +++ b/detections/web/supernova_webshell.yml @@ -5,19 +5,11 @@ date: '2024-10-17' author: John Stoner, Splunk status: experimental type: TTP -description: |- - The following analytic detects the presence of the Supernova webshell, used in the SUNBURST attack, by identifying specific patterns in web URLs. The detection leverages Splunk to search for URLs containing "*logoimagehandler.ashx*codes*", "*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*". This activity is significant as it indicates potential unauthorized access and arbitrary code execution on a compromised system. If confirmed malicious, this could lead to data theft, ransomware deployment, or other severe outcomes. Immediate steps include reviewing the web URLs, inspecting on-disk artifacts, and analyzing concurrent processes and network connections. +description: The following analytic detects the presence of the Supernova webshell, used in the SUNBURST attack, by identifying specific patterns in web URLs. The detection leverages Splunk to search for URLs containing "*logoimagehandler.ashx*codes*", "*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*". This activity is significant as it indicates potential unauthorized access and arbitrary code execution on a compromised system. If confirmed malicious, this could lead to data theft, ransomware deployment, or other severe outcomes. Immediate steps include reviewing the web URLs, inspecting on-disk artifacts, and analyzing concurrent processes and network connections. data_source: [] -search: '| tstats `security_content_summariesonly` count from datamodel=Web.Web where - web.url=*logoimagehandler.ashx*codes* OR Web.url=*logoimagehandler.ashx*clazz* OR - Web.url=*logoimagehandler.ashx*method* OR Web.url=*logoimagehandler.ashx*args* by - Web.src Web.dest Web.url Web.vendor_product Web.user Web.http_user_agent _time span=1s - | `supernova_webshell_filter`' -how_to_implement: To successfully implement this search, you need to be monitoring - web traffic to your Solarwinds Orion. The logs should be ingested into splunk and - populating/mapped to the Web data model. -known_false_positives: There might be false positives associted with this detection - since items like args as a web argument is pretty generic. +search: '| tstats `security_content_summariesonly` count from datamodel=Web.Web where web.url=*logoimagehandler.ashx*codes* OR Web.url=*logoimagehandler.ashx*clazz* OR Web.url=*logoimagehandler.ashx*method* OR Web.url=*logoimagehandler.ashx*args* by Web.src Web.dest Web.url Web.vendor_product Web.user Web.http_user_agent _time span=1s | `supernova_webshell_filter`' +how_to_implement: To successfully implement this search, you need to be monitoring web traffic to your Solarwinds Orion. The logs should be ingested into splunk and populating/mapped to the Web data model. +known_false_positives: There might be false positives associted with this detection since items like args as a web argument is pretty generic. references: - https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html - https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis/ diff --git a/detections/web/vmware_aria_operations_exploit_attempt.yml b/detections/web/vmware_aria_operations_exploit_attempt.yml index 6a58e73874..bb480129bf 100644 --- a/detections/web/vmware_aria_operations_exploit_attempt.yml +++ b/detections/web/vmware_aria_operations_exploit_attempt.yml @@ -17,12 +17,12 @@ references: - https://github.com/sinsinology/CVE-2023-20887 - https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/vmware_server_side_template_injection_hunt.yml b/detections/web/vmware_server_side_template_injection_hunt.yml index 9a0f54baf8..ee28a5064c 100644 --- a/detections/web/vmware_server_side_template_injection_hunt.yml +++ b/detections/web/vmware_server_side_template_injection_hunt.yml @@ -5,27 +5,12 @@ date: '2024-10-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies potential server-side template injection - attempts related to CVE-2022-22954. It detects suspicious URL patterns containing - "deviceudid" and keywords like "java.lang.ProcessBuilder" or "freemarker.template.utility.ObjectConstructor" - using web or proxy logs within the Web Datamodel. This activity is significant as - it may indicate an attempt to exploit a known vulnerability in VMware, potentially - leading to remote code execution. If confirmed malicious, attackers could gain unauthorized - access, execute arbitrary code, and compromise the affected system, posing a severe - security risk. +description: The following analytic identifies potential server-side template injection attempts related to CVE-2022-22954. It detects suspicious URL patterns containing "deviceudid" and keywords like "java.lang.ProcessBuilder" or "freemarker.template.utility.ObjectConstructor" using web or proxy logs within the Web Datamodel. This activity is significant as it may indicate an attempt to exploit a known vulnerability in VMware, potentially leading to remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and compromise the affected system, posing a severe security risk. data_source: - Palo Alto Network Threat -search: '| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url="*deviceudid=*" - AND Web.url IN ("*java.lang.ProcessBuilder*","*freemarker.template.utility.ObjectConstructor*") - by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest - sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `vmware_server_side_template_injection_hunt_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - web or proxy logs, or ensure it is being filled by a proxy like device, into the - Web Datamodel. For additional filtering, allow list private IP space or restrict - by known good. -known_false_positives: False positives may be present if the activity is blocked or - was not successful. Filter known vulnerablity scanners. Filter as needed. +search: '| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url="*deviceudid=*" AND Web.url IN ("*java.lang.ProcessBuilder*","*freemarker.template.utility.ObjectConstructor*") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_server_side_template_injection_hunt_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. +known_false_positives: False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed. references: - https://www.cisa.gov/uscert/ncas/alerts/aa22-138b - https://github.com/wvu/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb @@ -41,8 +26,7 @@ tags: cve: - CVE-2022-22954 impact: 70 - message: An attempt to exploit a VMware Server Side Injection CVE-2022-22954 on - $dest$ has occurred. + message: An attempt to exploit a VMware Server Side Injection CVE-2022-22954 on $dest$ has occurred. mitre_attack_id: - T1190 - T1133 @@ -67,8 +51,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_scanning_pan_threat.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_scanning_pan_threat.log source: pan:threat sourcetype: pan:threat update_timestamp: true diff --git a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml index 683294728e..6d6fb40a85 100644 --- a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml +++ b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml @@ -18,12 +18,12 @@ references: - https://www.vmware.com/security/advisories/VMSA-2022-0011.html - https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/web_jsp_request_via_url.yml b/detections/web/web_jsp_request_via_url.yml index 7f126eb35a..a3c9bc4884 100644 --- a/detections/web/web_jsp_request_via_url.yml +++ b/detections/web/web_jsp_request_via_url.yml @@ -16,12 +16,12 @@ references: - https://github.com/TheGejr/SpringShell - https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/web_remote_shellservlet_access.yml b/detections/web/web_remote_shellservlet_access.yml index 006071d125..8039eb3209 100644 --- a/detections/web/web_remote_shellservlet_access.yml +++ b/detections/web/web_remote_shellservlet_access.yml @@ -14,12 +14,12 @@ known_false_positives: False positives may occur depending on the web server's c references: - http://www.servletsuite.com/servlets/shell.htm drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/web_spring4shell_http_request_class_module.yml b/detections/web/web_spring4shell_http_request_class_module.yml index 4d2b740492..321632df47 100644 --- a/detections/web/web_spring4shell_http_request_class_module.yml +++ b/detections/web/web_spring4shell_http_request_class_module.yml @@ -14,12 +14,12 @@ known_false_positives: False positives may occur and filtering may be required. references: - https://github.com/DDuarte/springshell-rce-poc/blob/master/poc.py drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/web_spring_cloud_function_functionrouter.yml b/detections/web/web_spring_cloud_function_functionrouter.yml index 6a3f52aee7..6e9cfecf7a 100644 --- a/detections/web/web_spring_cloud_function_functionrouter.yml +++ b/detections/web/web_spring_cloud_function_functionrouter.yml @@ -15,12 +15,12 @@ references: - https://github.com/rapid7/metasploit-framework/pull/16395 - https://github.com/hktalent/spring-spel-0day-poc drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml index 55df30ae30..233ca0702a 100644 --- a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml +++ b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml @@ -22,12 +22,12 @@ references: - https://highon.coffee/blog/ssrf-cheat-sheet/ - https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/ drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/windows_iis_server_pswa_console_access.yml b/detections/web/windows_iis_server_pswa_console_access.yml index eac146d7ec..8aaba5eadf 100644 --- a/detections/web/windows_iis_server_pswa_console_access.yml +++ b/detections/web/windows_iis_server_pswa_console_access.yml @@ -8,15 +8,8 @@ data_sources: type: Hunting status: production description: This analytic detects access attempts to the PowerShell Web Access (PSWA) console on Windows IIS servers. It monitors web traffic for requests to PSWA-related URIs, which could indicate legitimate administrative activity or potential unauthorized access attempts. By tracking source IP, HTTP status, URI path, and HTTP method, it helps identify suspicious patterns or brute-force attacks targeting PSWA. This detection is crucial for maintaining the security of remote PowerShell management interfaces and preventing potential exploitation of this powerful administrative tool. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Web where Web.dest IN ("/pswa/*") - by Web.src Web.status Web.uri_path Web.dest Web.http_method - Web.uri_query | `drop_dm_object_name("Web")`| `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_iis_server_pswa_console_access_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. - In addition, confirm the latest CIM App 4.20 or higher is installed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.dest IN ("/pswa/*") by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query | `drop_dm_object_name("Web")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_server_pswa_console_access_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. In addition, confirm the latest CIM App 4.20 or higher is installed. known_false_positives: False positives may occur if legitimate PSWA processes are used for administrative tasks. Careful review of the logs is recommended to distinguish between legitimate and malicious activity. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a diff --git a/detections/web/wordpress_bricks_builder_plugin_rce.yml b/detections/web/wordpress_bricks_builder_plugin_rce.yml index 08c93b07e8..2afbb474b9 100644 --- a/detections/web/wordpress_bricks_builder_plugin_rce.yml +++ b/detections/web/wordpress_bricks_builder_plugin_rce.yml @@ -18,12 +18,12 @@ references: - https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation/ - https://thehackernews.com/2024/02/wordpress-bricks-theme-under-active.html drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/ws_ftp_remote_code_execution.yml b/detections/web/ws_ftp_remote_code_execution.yml index f7998bdc41..678bb61cf7 100644 --- a/detections/web/ws_ftp_remote_code_execution.yml +++ b/detections/web/ws_ftp_remote_code_execution.yml @@ -16,12 +16,12 @@ references: - https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044 - https://github.com/rapid7/metasploit-framework/pull/18414 drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/zscaler_adware_activities_threat_blocked.yml b/detections/web/zscaler_adware_activities_threat_blocked.yml index b1d93b1d8e..5f2e135eb4 100644 --- a/detections/web/zscaler_adware_activities_threat_blocked.yml +++ b/detections/web/zscaler_adware_activities_threat_blocked.yml @@ -13,12 +13,12 @@ known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs drilldown_searches: -- name: View the detection results for $src$ and $user$ - search: '%original_detection_search% | search src = $src$ user = $user$' +- name: View the detection results for - "$src$" and "$user$" + search: '%original_detection_search% | search src = "$src$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/zscaler_behavior_analysis_threat_blocked.yml b/detections/web/zscaler_behavior_analysis_threat_blocked.yml index fcd3d49b06..fc5f7f6c48 100644 --- a/detections/web/zscaler_behavior_analysis_threat_blocked.yml +++ b/detections/web/zscaler_behavior_analysis_threat_blocked.yml @@ -13,12 +13,12 @@ known_false_positives: False positives are limited to Zscalar configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs drilldown_searches: -- name: View the detection results for $src$ and $user$ - search: '%original_detection_search% | search src = $src$ user = $user$' +- name: View the detection results for - "$src$" and "$user$" + search: '%original_detection_search% | search src = "$src$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml b/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml index 14c64d8cee..cd49da9142 100644 --- a/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml +++ b/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml @@ -13,12 +13,12 @@ known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs drilldown_searches: -- name: View the detection results for $src$ and $user$ - search: '%original_detection_search% | search src = $src$ user = $user$' +- name: View the detection results for - "$src$" and "$user$" + search: '%original_detection_search% | search src = "$src$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/zscaler_employment_search_web_activity.yml b/detections/web/zscaler_employment_search_web_activity.yml index 8d7f5cc48a..63a7d4278c 100644 --- a/detections/web/zscaler_employment_search_web_activity.yml +++ b/detections/web/zscaler_employment_search_web_activity.yml @@ -13,12 +13,12 @@ known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs drilldown_searches: -- name: View the detection results for $src$ and $user$ - search: '%original_detection_search% | search src = $src$ user = $user$' +- name: View the detection results for - "$src$" and "$user$" + search: '%original_detection_search% | search src = "$src$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/zscaler_exploit_threat_blocked.yml b/detections/web/zscaler_exploit_threat_blocked.yml index ab77e3be86..c7ae814a0a 100644 --- a/detections/web/zscaler_exploit_threat_blocked.yml +++ b/detections/web/zscaler_exploit_threat_blocked.yml @@ -13,12 +13,12 @@ known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs drilldown_searches: -- name: View the detection results for $src$ and $user$ - search: '%original_detection_search% | search src = $src$ user = $user$' +- name: View the detection results for - "$src$" and "$user$" + search: '%original_detection_search% | search src = "$src$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/zscaler_legal_liability_threat_blocked.yml b/detections/web/zscaler_legal_liability_threat_blocked.yml index 88561c505b..0374908080 100644 --- a/detections/web/zscaler_legal_liability_threat_blocked.yml +++ b/detections/web/zscaler_legal_liability_threat_blocked.yml @@ -13,12 +13,12 @@ known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs drilldown_searches: -- name: View the detection results for $src$ and $user$ - search: '%original_detection_search% | search src = $src$ user = $user$' +- name: View the detection results for - "$src$" and "$user$" + search: '%original_detection_search% | search src = "$src$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/zscaler_malware_activity_threat_blocked.yml b/detections/web/zscaler_malware_activity_threat_blocked.yml index 722f4ab956..9ec20e0a1a 100644 --- a/detections/web/zscaler_malware_activity_threat_blocked.yml +++ b/detections/web/zscaler_malware_activity_threat_blocked.yml @@ -13,12 +13,12 @@ known_false_positives: False positives are limited to Zscalar configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs drilldown_searches: -- name: View the detection results for $src$ and $user$ - search: '%original_detection_search% | search src = $src$ user = $user$' +- name: View the detection results for - "$src$" and "$user$" + search: '%original_detection_search% | search src = "$src$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/zscaler_phishing_activity_threat_blocked.yml b/detections/web/zscaler_phishing_activity_threat_blocked.yml index f75e5c4795..c1d3357467 100644 --- a/detections/web/zscaler_phishing_activity_threat_blocked.yml +++ b/detections/web/zscaler_phishing_activity_threat_blocked.yml @@ -13,12 +13,12 @@ known_false_positives: False positives are limited to Zscalar configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs drilldown_searches: -- name: View the detection results for $src$ and $user$ - search: '%original_detection_search% | search src = $src$ user = $user$' +- name: View the detection results for - "$src$" and "$user$" + search: '%original_detection_search% | search src = "$src$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/zscaler_potentially_abused_file_download.yml b/detections/web/zscaler_potentially_abused_file_download.yml index 564792ff71..b7fed03db7 100644 --- a/detections/web/zscaler_potentially_abused_file_download.yml +++ b/detections/web/zscaler_potentially_abused_file_download.yml @@ -13,12 +13,12 @@ known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs drilldown_searches: -- name: View the detection results for $src$ and $user$ - search: '%original_detection_search% | search src = $src$ user = $user$' +- name: View the detection results for - "$src$" and "$user$" + search: '%original_detection_search% | search src = "$src$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml b/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml index 143e1b9c55..c13b18286c 100644 --- a/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml +++ b/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml @@ -13,12 +13,12 @@ known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs drilldown_searches: -- name: View the detection results for $src$ and $user$ - search: '%original_detection_search% | search src = $src$ user = $user$' +- name: View the detection results for - "$src$" and "$user$" + search: '%original_detection_search% | search src = "$src$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/zscaler_scam_destinations_threat_blocked.yml b/detections/web/zscaler_scam_destinations_threat_blocked.yml index 665f4e7a9a..17755e36e5 100644 --- a/detections/web/zscaler_scam_destinations_threat_blocked.yml +++ b/detections/web/zscaler_scam_destinations_threat_blocked.yml @@ -13,12 +13,12 @@ known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs drilldown_searches: -- name: View the detection results for $src$ and $user$ - search: '%original_detection_search% | search src = $src$ user = $user$' +- name: View the detection results for - "$src$" and "$user$" + search: '%original_detection_search% | search src = "$src$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/web/zscaler_virus_download_threat_blocked.yml b/detections/web/zscaler_virus_download_threat_blocked.yml index d3bdd6250b..3ae874d2b7 100644 --- a/detections/web/zscaler_virus_download_threat_blocked.yml +++ b/detections/web/zscaler_virus_download_threat_blocked.yml @@ -13,12 +13,12 @@ known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs drilldown_searches: -- name: View the detection results for $src$ and $user$ - search: '%original_detection_search% | search src = $src$ user = $user$' +- name: View the detection results for - "$src$" and "$user$" + search: '%original_detection_search% | search src = "$src$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $src$ and $user$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src$, $user$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$src$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: