From ad772ee1eeae698cb197a2766a6affdf07604793 Mon Sep 17 00:00:00 2001 From: ljstella Date: Thu, 9 Jan 2025 14:57:36 -0600 Subject: [PATCH] More stragglers --- ...indows_detect_network_scanner_behavior.yml | 30 +++++++++---------- ...s_with_netexec_command_line_parameters.yml | 30 +++++++++---------- 2 files changed, 28 insertions(+), 32 deletions(-) diff --git a/detections/endpoint/windows_detect_network_scanner_behavior.yml b/detections/endpoint/windows_detect_network_scanner_behavior.yml index 9fc1b34e46..25927e121b 100644 --- a/detections/endpoint/windows_detect_network_scanner_behavior.yml +++ b/detections/endpoint/windows_detect_network_scanner_behavior.yml @@ -1,7 +1,7 @@ name: Windows Detect Network Scanner Behavior id: 78e678d2-bf64-4fe6-aa52-2f7b11dddee7 -version: 1 -date: '2024-12-26' +version: 2 +date: '2025-01-09' author: Steven Dick status: production type: Anomaly @@ -29,6 +29,18 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process exhibiting network scanning behavior [$process_name$] was detected on $src$ + risk_objects: + - field: src + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Network Discovery @@ -36,24 +48,10 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: A process exhibiting network scanning behavior [$process_name$] was detected on $src$ mitre_attack_id: - T1595 - T1595.001 - T1595.002 - observable: - - name: src - type: IP Address - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml index b59ae667e6..584900eac0 100644 --- a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml +++ b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml @@ -1,7 +1,7 @@ name: Windows Process With NetExec Command Line Parameters id: adbff89c-c1f2-4a2e-88a4-b5e645856510 -version: 1 -date: '2024-12-19' +version: 2 +date: '2025-01-09' author: Steven Dick, Github Community status: production type: TTP @@ -34,6 +34,18 @@ drilldown_searches: search: '| from datamodel:Endpoint.Processes | search dest=$dest$ process_name = $process_name$' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: NetExec command line parameters were used on $dest$ by $user$ + risk_objects: + - field: user + type: user + score: 64 + - field: dest + type: system + score: 64 + threat_objects: + - field: parent_process_name + type: parent_process_name tags: analytic_story: - Active Directory Kerberos Attacks @@ -41,26 +53,12 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: NetExec command line parameters were used on $dest$ by $user$ mitre_attack_id: - T1550 - T1550.003 - T1558 - T1558.003 - T1558.004 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security