diff --git a/detections/endpoint/windows_bitlockertogo_process_execution.yml b/detections/endpoint/windows_bitlockertogo_process_execution.yml index 7f08c25fae..6596c65780 100644 --- a/detections/endpoint/windows_bitlockertogo_process_execution.yml +++ b/detections/endpoint/windows_bitlockertogo_process_execution.yml @@ -4,7 +4,7 @@ version: 1 date: '2024-11-13' author: Michael Haag, Nasreddine Bencherchali, Splunk data_sources: -- Sysmon Event ID 1 +- Sysmon EventID 1 - Windows Event Log Security 4688 type: Hunting status: production diff --git a/detections/endpoint/windows_disable_or_stop_browser_process.yml b/detections/endpoint/windows_disable_or_stop_browser_process.yml index 865efdcd6b..86f1068c6b 100644 --- a/detections/endpoint/windows_disable_or_stop_browser_process.yml +++ b/detections/endpoint/windows_disable_or_stop_browser_process.yml @@ -4,7 +4,7 @@ version: 1 date: '2024-09-24' author: Teoderick Contreras, Splunk data_sources: -- Sysmon Event ID 1 +- Sysmon EventID 1 type: TTP status: production description: The following analytic detects the use of the taskkill command in a process command line to terminate several known browser processes, a technique commonly employed by the Braodo stealer malware to steal credentials. By forcefully closing browsers like Chrome, Edge, and Firefox, the malware can unlock files that store sensitive information, such as passwords and login data. This detection focuses on identifying taskkill commands targeting these browsers, signaling malicious intent. Early detection allows security teams to investigate and prevent further credential theft and system compromise. diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml index b59ae667e6..b963bbc891 100644 --- a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml +++ b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml @@ -8,7 +8,7 @@ type: TTP description: The following analytic detects the use of NetExec (formally CrackmapExec) a toolset used for post-exploitation enumeration and attack within Active Directory environments through command line parameters. It leverages Endpoint Detection and Response (EDR) data to identify specific command-line arguments associated with actions like ticket manipulation, kerberoasting, and password spraying. This activity is significant as NetExec is used by adversaries to exploit Kerberos for privilege escalation and lateral movement. If confirmed malicious, this could lead to unauthorized access, persistence, and potential compromise of sensitive information within the network. data_source: - Windows Security Event ID 4688 -- Sysmon Event ID 1 +- Sysmon EventID 1 - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process_name IN ("nxc.exe") OR Processes.original_file_name IN ("nxc.exe") OR (Processes.process IN ("* smb *","* ssh *","* ldap *","* ftp *","* wmi *","* winrm *","* rdp *","* vnc *","* mssql *","* nfs *") AND ((Processes.process = "* -p *" AND Processes.process = "* -u *") OR Processes.process IN ("* -x *","* -M *","* --*"))) BY _time span=1h Processes.user Processes.dest Processes.process_name Processes.parent_process_name |`drop_dm_object_name(Processes)`