From ab50618243341c46ce336d3034ff35b9ca42587a Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 23 Jul 2024 14:09:53 -0500 Subject: [PATCH 1/2] updating version and date --- detections/endpoint/disable_logs_using_wevtutil.yml | 7 ++++--- .../endpoint/disable_windows_behavior_monitoring.yml | 7 ++++--- ...emote_process_instantiation_via_dcom_and_powershell.yml | 7 ++++--- ...mote_process_instantiation_via_winrm_and_powershell.yml | 7 ++++--- .../remote_process_instantiation_via_winrm_and_winrs.yml | 7 ++++--- ...scheduled_task_creation_on_remote_endpoint_using_at.yml | 7 ++++--- .../scheduled_task_initiation_on_remote_endpoint.yml | 7 ++++--- detections/endpoint/windows_new_inprocserver32_added.yml | 7 ++++--- .../windows_service_creation_on_remote_endpoint.yml | 7 ++++--- .../windows_service_initiation_on_remote_endpoint.yml | 7 ++++--- 10 files changed, 40 insertions(+), 30 deletions(-) diff --git a/detections/endpoint/disable_logs_using_wevtutil.yml b/detections/endpoint/disable_logs_using_wevtutil.yml index 8e9b434c05..53ebaaa4c1 100644 --- a/detections/endpoint/disable_logs_using_wevtutil.yml +++ b/detections/endpoint/disable_logs_using_wevtutil.yml @@ -1,7 +1,7 @@ name: Disable Logs Using WevtUtil id: 236e7c8e-c9d9-11eb-a824-acde48001122 -version: 2 -date: '2024-05-13' +version: 4 +date: '2024-07-23' author: Teoderick Contreras, Splunk status: production type: TTP @@ -41,7 +41,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 30 - message: WevtUtil.exe used to disable Event Logging on $dest + message: WevtUtil.exe used to disable Event Logging on $dest$ mitre_attack_id: - T1070 - T1070.001 @@ -73,3 +73,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog +# version bumped by pre-commit hook diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index 5c5df98512..faeab8144f 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -1,7 +1,7 @@ name: Disable Windows Behavior Monitoring id: 79439cae-9200-11eb-a4d3-acde48001122 -version: 6 -date: '2024-05-18' +version: 7 +date: '2024-07-23' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP @@ -48,7 +48,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 40 - message: Windows Defender real time behavior monitoring disabled on $dest + message: Windows Defender real time behavior monitoring disabled on $dest$ mitre_attack_id: - T1562.001 - T1562 @@ -78,3 +78,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog +# version bumped by pre-commit hook diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml index 6f3ea167d8..5a9f194e6d 100644 --- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml @@ -1,7 +1,7 @@ name: Remote Process Instantiation via DCOM and PowerShell id: d4f42098-4680-11ec-ad07-3e22fbd008af -version: 2 -date: '2024-05-20' +version: 4 +date: '2024-07-23' author: Mauricio Velazco, Splunk status: production type: TTP @@ -42,7 +42,7 @@ tags: asset_type: Endpoint confidence: 70 impact: 90 - message: A process was started on a remote endpoint from $dest by abusing DCOM using + message: A process was started on a remote endpoint from $dest$ by abusing DCOM using PowerShell.exe mitre_attack_id: - T1021 @@ -78,3 +78,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog +# version bumped by pre-commit hook diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml index 9e728ff016..afd281e4fa 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml @@ -1,7 +1,7 @@ name: Remote Process Instantiation via WinRM and PowerShell id: ba24cda8-4716-11ec-8009-3e22fbd008af -version: 2 -date: '2024-05-14' +version: 4 +date: '2024-07-23' author: Mauricio Velazco, Splunk status: production type: TTP @@ -42,7 +42,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 90 - message: A process was started on a remote endpoint from $dest by abusing WinRM + message: A process was started on a remote endpoint from $dest$ by abusing WinRM using PowerShell.exe mitre_attack_id: - T1021 @@ -78,3 +78,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog +# version bumped by pre-commit hook diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml index 0e1089703d..66809aef16 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml @@ -1,7 +1,7 @@ name: Remote Process Instantiation via WinRM and Winrs id: 0dd296a2-4338-11ec-ba02-3e22fbd008af -version: 2 -date: '2024-05-16' +version: 4 +date: '2024-07-23' author: Mauricio Velazco, Splunk status: production type: TTP @@ -42,7 +42,7 @@ tags: asset_type: Endpoint confidence: 60 impact: 90 - message: A process was started on a remote endpoint from $dest + message: A process was started on a remote endpoint from $dest$ mitre_attack_id: - T1021 - T1021.006 @@ -77,3 +77,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog +# version bumped by pre-commit hook diff --git a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml index 6462ab1b60..19e2fd49e6 100644 --- a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml +++ b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml @@ -1,7 +1,7 @@ name: Scheduled Task Creation on Remote Endpoint using At id: 4be54858-432f-11ec-8209-3e22fbd008af -version: 2 -date: '2024-05-24' +version: 4 +date: '2024-07-23' author: Mauricio Velazco, Splunk status: production type: TTP @@ -43,7 +43,7 @@ tags: asset_type: Endpoint confidence: 60 impact: 90 - message: A Windows Scheduled Task was created on a remote endpoint from $dest + message: A Windows Scheduled Task was created on a remote endpoint from $dest$ mitre_attack_id: - T1053 - T1053.002 @@ -78,3 +78,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog +# version bumped by pre-commit hook diff --git a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml index 437884fada..ac9455fd63 100644 --- a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml @@ -1,7 +1,7 @@ name: Scheduled Task Initiation on Remote Endpoint id: 95cf4608-4302-11ec-8194-3e22fbd008af -version: 2 -date: '2024-05-25' +version: 4 +date: '2024-07-23' author: Mauricio Velazco, Splunk status: production type: TTP @@ -42,7 +42,7 @@ tags: asset_type: Endpoint confidence: 60 impact: 90 - message: A Windows Scheduled Task was ran on a remote endpoint from $dest + message: A Windows Scheduled Task was ran on a remote endpoint from $dest$ mitre_attack_id: - T1053 - T1053.005 @@ -77,3 +77,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog +# version bumped by pre-commit hook diff --git a/detections/endpoint/windows_new_inprocserver32_added.yml b/detections/endpoint/windows_new_inprocserver32_added.yml index 0b9156b74e..9d0e9c77fb 100644 --- a/detections/endpoint/windows_new_inprocserver32_added.yml +++ b/detections/endpoint/windows_new_inprocserver32_added.yml @@ -1,7 +1,7 @@ name: Windows New InProcServer32 Added id: 0fa86e31-0f73-4ec7-9ca3-dc88e117f1db -version: 2 -date: '2024-05-13' +version: 3 +date: '2024-07-23' author: Michael Haag, Splunk data_source: - Sysmon EventID 13 @@ -57,7 +57,7 @@ tags: risk_score: 2 security_domain: endpoint cve: - - cve-2024-21378 + - CVE-2024-21378 tests: - name: True Positive Test attack_data: @@ -65,3 +65,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log sourcetype: xmlwineventlog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +# version bumped by pre-commit hook diff --git a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml index a2742671f3..2b09dcb326 100644 --- a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml @@ -1,7 +1,7 @@ name: Windows Service Creation on Remote Endpoint id: e0eea4fa-4274-11ec-882b-3e22fbd008af -version: 2 -date: '2024-05-21' +version: 4 +date: '2024-07-23' author: Mauricio Velazco, Splunk status: production type: TTP @@ -44,7 +44,7 @@ tags: asset_type: Endpoint confidence: 60 impact: 90 - message: A Windows Service was created on a remote endpoint from $dest + message: A Windows Service was created on a remote endpoint from $dest$ mitre_attack_id: - T1543 - T1543.003 @@ -79,3 +79,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog +# version bumped by pre-commit hook diff --git a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml index 2aa32d5e0e..3b2c7779bc 100644 --- a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml @@ -1,7 +1,7 @@ name: Windows Service Initiation on Remote Endpoint id: 3f519894-4276-11ec-ab02-3e22fbd008af -version: 2 -date: '2024-05-10' +version: 4 +date: '2024-07-23' author: Mauricio Velazco, Splunk status: production type: TTP @@ -41,7 +41,7 @@ tags: asset_type: Endpoint confidence: 60 impact: 90 - message: A Windows Service was started on a remote endpoint from $dest + message: A Windows Service was started on a remote endpoint from $dest$ mitre_attack_id: - T1543 - T1543.003 @@ -76,3 +76,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog +# version bumped by pre-commit hook From 41e8d181d0af9b255037b8d68f40a34cd7ce9cf2 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 23 Jul 2024 14:45:13 -0500 Subject: [PATCH 2/2] updating version --- detections/endpoint/disable_logs_using_wevtutil.yml | 2 +- .../remote_process_instantiation_via_dcom_and_powershell.yml | 2 +- .../remote_process_instantiation_via_winrm_and_powershell.yml | 2 +- .../remote_process_instantiation_via_winrm_and_winrs.yml | 2 +- .../scheduled_task_creation_on_remote_endpoint_using_at.yml | 2 +- .../endpoint/scheduled_task_initiation_on_remote_endpoint.yml | 2 +- .../endpoint/windows_service_creation_on_remote_endpoint.yml | 2 +- .../endpoint/windows_service_initiation_on_remote_endpoint.yml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/detections/endpoint/disable_logs_using_wevtutil.yml b/detections/endpoint/disable_logs_using_wevtutil.yml index 53ebaaa4c1..d6d862df55 100644 --- a/detections/endpoint/disable_logs_using_wevtutil.yml +++ b/detections/endpoint/disable_logs_using_wevtutil.yml @@ -1,6 +1,6 @@ name: Disable Logs Using WevtUtil id: 236e7c8e-c9d9-11eb-a824-acde48001122 -version: 4 +version: 3 date: '2024-07-23' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml index 5a9f194e6d..8dc4550c8c 100644 --- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml @@ -1,6 +1,6 @@ name: Remote Process Instantiation via DCOM and PowerShell id: d4f42098-4680-11ec-ad07-3e22fbd008af -version: 4 +version: 3 date: '2024-07-23' author: Mauricio Velazco, Splunk status: production diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml index afd281e4fa..af56428100 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml @@ -1,6 +1,6 @@ name: Remote Process Instantiation via WinRM and PowerShell id: ba24cda8-4716-11ec-8009-3e22fbd008af -version: 4 +version: 3 date: '2024-07-23' author: Mauricio Velazco, Splunk status: production diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml index 66809aef16..dc49246063 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml @@ -1,6 +1,6 @@ name: Remote Process Instantiation via WinRM and Winrs id: 0dd296a2-4338-11ec-ba02-3e22fbd008af -version: 4 +version: 3 date: '2024-07-23' author: Mauricio Velazco, Splunk status: production diff --git a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml index 19e2fd49e6..837dcae27a 100644 --- a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml +++ b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml @@ -1,6 +1,6 @@ name: Scheduled Task Creation on Remote Endpoint using At id: 4be54858-432f-11ec-8209-3e22fbd008af -version: 4 +version: 3 date: '2024-07-23' author: Mauricio Velazco, Splunk status: production diff --git a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml index ac9455fd63..aec10199f4 100644 --- a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml @@ -1,6 +1,6 @@ name: Scheduled Task Initiation on Remote Endpoint id: 95cf4608-4302-11ec-8194-3e22fbd008af -version: 4 +version: 3 date: '2024-07-23' author: Mauricio Velazco, Splunk status: production diff --git a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml index 2b09dcb326..642eac7e5c 100644 --- a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml @@ -1,6 +1,6 @@ name: Windows Service Creation on Remote Endpoint id: e0eea4fa-4274-11ec-882b-3e22fbd008af -version: 4 +version: 3 date: '2024-07-23' author: Mauricio Velazco, Splunk status: production diff --git a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml index 3b2c7779bc..7c59bd88a4 100644 --- a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml @@ -1,6 +1,6 @@ name: Windows Service Initiation on Remote Endpoint id: 3f519894-4276-11ec-ab02-3e22fbd008af -version: 4 +version: 3 date: '2024-07-23' author: Mauricio Velazco, Splunk status: production